CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
21.5%
libzephyr.so is vulnerable to Denial Of Service (DOS). The vulnerability is caused by the le_advertising_report
function in /subsys/bluetooth/controller/hci/hci.c
because an advertising packet is not processed properly when copying data. The root cause of the issue are integer overflow while storing a result in the data_len
variable while doing operation (adv->len - BDADDR_SIZE)
and buffer overflow while copying data using memcpy
function using data_len
as the variable to copy the amount of data. A malicious bLE device can cause buffer overflow by sending malformed advertising packet BLE device leading to DoS or potential RCE on the victim BLE device.
github.com/zephyrproject-rtos/zephyr/commit/1ee7bc098990c6599633e1a11a3ca3db3528b6b8
github.com/zephyrproject-rtos/zephyr/commit/4c94349b077fb3fec618ac275f5e4c19982b7132
github.com/zephyrproject-rtos/zephyr/commit/75634fdcb4b5fbcf08c172eb4a506343bccac644
github.com/zephyrproject-rtos/zephyr/commit/b519f302e558c778d08f8a3065406b52b5bfab27
github.com/zephyrproject-rtos/zephyr/pull/61651
github.com/zephyrproject-rtos/zephyr/pull/61694
github.com/zephyrproject-rtos/zephyr/pull/61695
github.com/zephyrproject-rtos/zephyr/pull/61696
github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j4qm-xgpf-qjw3
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
21.5%