Summary
Out-of-bounds write caused by an integer underflow.
Details
Location: subsys/bluetooth/mesh/solicitation.c:237-242`
bt_mesh_sol_recv() in solicitation.c is called from bt_mesh_scan_cb when a BLE advertisement with AD type BT_DATA_UUID16_SOME or BT_DATA_UUID16_ALL is received and CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled. It parses the solicitation PDU from the raw BLE advertising payload.
The vulnerability lies in the inner AD parsing loop:
while (buf->len >= 22) {
reported_len = net_buf_simple_pull_u8(buf); // attacker-controlled byte
...
if (buf->len <= reported_len - 3) { // LINE 237 — guard BYPASSED
return;
}
net_buf_simple_pull_mem(buf, reported_len - 3); // LINE 242 — OOB
}reported_len is a uint8_t pulled directly from the attacker-controlled BLE advertisement. When reported_len < 3 (e.g., reported_len = 0):
reported_len - 3 undergoes C integer promotion to int, yielding -3.- The guard at line 237:
buf->len (uint16_t → promoted to int) <= int(-3) → 22 <= -3 → FALSE. The protective return is NOT taken.
- Line 242:
net_buf_simple_pull_mem(buf, reported_len - 3) — the int value -3 is implicitly converted to size_t = 0xFFFFFFFD (32-bit ARM).
- In release builds (
CONFIG_ASSERT=n), the assertion __ASSERT_NO_MSG(buf->len >= len) is a no-op.
buf->len -= 0xFFFFFFFD wraps the uint16_t (buffer length becomes buf->len + 3).buf->data += 0xFFFFFFFD — the data pointer jumps ~4GB forward, pointing to invalid memory.- Subsequent reads from
buf (e.g., line 250: type = net_buf_simple_pull_u8(buf)) dereference the out-of-bounds pointer.
Impact
An out-of-bound write can lead to an arbitrary code execution. This is more severe in real-time
operating systems like Zephyr that run in embedded devices without common memory
protection systems. Even on devices with some form of memory protection, this can still lead to
a crash and a resultant denial of service.
Patches
main: #105585
v4.3: #108334
v3.7: #108333
For more information
If you have any questions or comments about this advisory:
embargo: 2026-06-03
wxzzzzzzz Reporter
Summary
Out-of-bounds write caused by an integer underflow.
Details
Location: subsys/bluetooth/mesh/solicitation.c:237-242`
bt_mesh_sol_recv()insolicitation.cis called frombt_mesh_scan_cbwhen a BLE advertisement with AD typeBT_DATA_UUID16_SOMEorBT_DATA_UUID16_ALLis received andCONFIG_BT_MESH_OD_PRIV_PROXY_SRVis enabled. It parses the solicitation PDU from the raw BLE advertising payload.The vulnerability lies in the inner AD parsing loop:
reported_lenis auint8_tpulled directly from the attacker-controlled BLE advertisement. Whenreported_len < 3(e.g.,reported_len = 0):reported_len - 3undergoes C integer promotion toint, yielding-3.buf->len (uint16_t → promoted to int) <= int(-3)→22 <= -3→ FALSE. The protectivereturnis NOT taken.net_buf_simple_pull_mem(buf, reported_len - 3)— theintvalue-3is implicitly converted tosize_t = 0xFFFFFFFD(32-bit ARM).CONFIG_ASSERT=n), the assertion__ASSERT_NO_MSG(buf->len >= len)is a no-op.buf->len -= 0xFFFFFFFDwraps theuint16_t(buffer length becomesbuf->len + 3).buf->data += 0xFFFFFFFD— the data pointer jumps ~4GB forward, pointing to invalid memory.buf(e.g., line 250:type = net_buf_simple_pull_u8(buf)) dereference the out-of-bounds pointer.Impact
An out-of-bound write can lead to an arbitrary code execution. This is more severe in real-time
operating systems like Zephyr that run in embedded devices without common memory
protection systems. Even on devices with some form of memory protection, this can still lead to
a crash and a resultant denial of service.
Patches
main: #105585
v4.3: #108334
v3.7: #108333
For more information
If you have any questions or comments about this advisory:
embargo: 2026-06-03