{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-10641/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-17T15:00:13.802Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-10641","@id":"https://www.cve.org/CVERecord?id=CVE-2026-10641","description":"Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a per-entry counter index and calls cind_handle_values() for each list element. cind_handle_values() then wrote hf-ind_table[index] = i without verifying that index is within the 20-element int8_t ind_table[] array of stru"},"products":[{"@id":"cpe:2.3:a:zephyrproject:zephyr:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:zephyrproject:zephyr:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 4.5.0.","timestamp":"2026-06-17T15:00:13.802Z"}]}