How is CVE-2026-10641 exploited?

Network reachability (info): The attacker must be in Bluetooth radio range or on an adjacent network segment (LAN or paired-device proximity); remote over-the-internet exploitation is not possible without a co-located relay. Authentication (not-required): No account, pairing credential, or prior session is required; any device that can present itself as a Bluetooth Audio Gateway during Service Level Connection setup can trigger the write. Victim interaction (not-required): The malformed +CIND: response is sent by the attacker-controlled peer during an automated protocol handshake; no user click, approval, or other action is needed. Attack complexity (info): Exploit reliability is high and condition-free: sending a single AT response with more than 20 +CIND entries deterministically drives the out-of-bounds index, requiring no race condition or memory-layout guessing.

What is the impact of CVE-2026-10641?

Crashes the Bluetooth host stack on the target device, disabling all Bluetooth Classic functionality until the stack is restarted or the device reboots. Overwrites adjacent struct fields in the bt_hfp_hf connection slot, corrupting feature masks, SDP state, and call-tracking arrays, which can cause incorrect call handling behavior before or after a crash. May corrupt work-queue and atomic bookkeeping fields beyond the static connection pool slot, potentially destabilizing other Bluetooth subsystem operations on the same host.

Back to search

HIGHCVE-2026-10641Published 2026-06-17Modified 2026-06-17CNA zephyr

CVE-2026-10641: Out-of-bounds write in Bluetooth HFP Hands-Free CIND indicator parsing (cind_handle_values)

Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a per-entry counter index and calls cind_handle_values() for each list element. cind_handle_values() then wrote hf-ind_table[index] = i without verifying that index is within the 20-element int8_t ind_table[] array of struct bt_hfp_hf. Because the parser places no cap on the number of +CIND: list entries, a remote Attendant Gateway (a malicious, compromised, or spoofed peer the device connects to over Bluetooth) can send a response with more than 20 recognized indicator entries and drive index arbitrarily large, writing a small attacker-positioned value past the array into adjacent struct fields (feature masks, SDP/version state, the calls[] array, work/atomic bookkeeping) and potentially beyond the static connection pool slot. This yields memory corruption and at least denial of service of the Bluetooth host, triggered by a single malformed AT response with no user interaction. The sibling consumer ag_indicator_handle_values() already performed the equivalent bounds check; this commit adds the same index = ARRAY_SIZE(hf-ind_table) guard to close the gap. Affects builds with CONFIG_BT_HFP_HF enabled; introduced with the original HFP HF CIND parser (~v1.7) and present through v4.4.0.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: 4.5.0
Affected Products: 1

HarborGuard Analysis

Synopsis

Out-of-bounds write in the Zephyr RTOS Bluetooth Hands-Free Profile (HFP) parser allows a malicious or spoofed Bluetooth Audio Gateway peer to corrupt memory during connection setup. The flaw is reachable over Bluetooth from an adjacent network position with no authentication required and no user interaction needed. Successful exploitation crashes the Bluetooth host stack and may corrupt adjacent struct fields, causing denial of service; a patched-image rebuild at Zephyr 4.5.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that incorporate Zephyr with CONFIG_BT_HFP_HF enabled. Any image carrying a Zephyr version between 1.7.0 and 4.4.0 (inclusive) with the affected Bluetooth HFP configuration is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.1 (HIGH) and can apply per-environment compliance policy weighting to adjust priority, for example elevating it for organizations that ship IoT or embedded products with Bluetooth Classic enabled. Triage findings are routed to the inbox or ticketing integration configured by each customer org.

Available

Patch

A patched-image rebuild at Zephyr 4.5.0, which includes the bounds-check guard added to cind_handle_values(), is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be in Bluetooth radio range or on an adjacent network segment (LAN or paired-device proximity); remote over-the-internet exploitation is not possible without a co-located relay.
AuthenticationNot required
No account, pairing credential, or prior session is required; any device that can present itself as a Bluetooth Audio Gateway during Service Level Connection setup can trigger the write.
Victim interactionNot required
The malformed +CIND: response is sent by the attacker-controlled peer during an automated protocol handshake; no user click, approval, or other action is needed.
Attack complexityDetail
Exploit reliability is high and condition-free: sending a single AT response with more than 20 +CIND entries deterministically drives the out-of-bounds index, requiring no race condition or memory-layout guessing.

Blast Radius

Crashes the Bluetooth host stack on the target device, disabling all Bluetooth Classic functionality until the stack is restarted or the device reboots.
Overwrites adjacent struct fields in the bt_hfp_hf connection slot, corrupting feature masks, SDP state, and call-tracking arrays, which can cause incorrect call handling behavior before or after a crash.
May corrupt work-queue and atomic bookkeeping fields beyond the static connection pool slot, potentially destabilizing other Bluetooth subsystem operations on the same host.

How HarborGuard Handles This

Available on HarborGuard: images containing Zephyr versions 1.7.0 through 4.4.0 built with CONFIG_BT_HFP_HF enabled are matched against CVE-2026-10641 at ingest time. A rebuild targeting Zephyr 4.5.0, which closes the missing bounds check in cind_handle_values(), is available for affected images. Where compliance policy permits, customers with auto-remediation enabled receive a rebuilt image, a regression-test run against the new image, and a pull request opened against affected workloads; for high-severity issues the median time from publication to merged PR in those environments is around 90 minutes. Customers who manage remediation manually can use the HarborGuard findings feed to identify every affected image and the exact Zephyr configuration flag driving exposure. As a compensating control while a rebuild is staged, network-policy isolation of Bluetooth-capable workloads and disabling CONFIG_BT_HFP_HF in builds that do not require Hands-Free Profile support are recommended steps to reduce the attack surface.

See how HarborGuard automates this

Fix available

4.5.0

Patch commits

Fix commit

Affected packages

zephyrproject / zephyr
< 4.5.0 (from 1.7.0)

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available