bt: l2cap le coc: remote oob write via seg counter stored in net_buf user_data

High

ceolin published GHSA-qrcq-hxwj-mqxm

Jun 9, 2026

Package

zephyr

Affected versions

<= 4.4.0

Patched versions

None

Description

summary

a remote unauthenticated ble peer can trigger a 2-byte out-of-bounds write in the bluetooth host during le coc sdu reassembly when the application enables segmentation (chan_ops.alloc_buf) and the chosen rx pool has user_data_size < 2.
observed end effects: (a) asan abort with a backtrace to subsys/bluetooth/host/l2cap.c:2618, and (b) without asan, heap corruption/fatal error in a freelist-poisoning harness.

pins

repo: https://github.com/zephyrproject-rtos/zephyr
commit: 02191db
callsite: subsys/bluetooth/host/l2cap.c:2618 (l2cap_chan_le_recv_seg)
pinned link:

zephyr/subsys/bluetooth/host/l2cap.c

Line 2618 in 02191db

memcpy(net_buf_user_data(chan->_sdu), &seg, sizeof(seg));

Patches

main: #104913
v4.3: #108335

For more information

If you have any questions or comments about this advisory:

Open an issue in zephyr
Email us at Zephyr-vulnerabilities

embargo: 2026-05-21

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Adjacent

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H