How is CVE-2026-5068 exploited?

Network reachability (info): The attacker must be within Bluetooth radio range or on an adjacent network segment; this is not exploitable over the public internet. Authentication (not-required): No BLE pairing or authentication is needed; any unpaired peer in range can send the malformed L2CAP segments. Victim interaction (not-required): No action by a user or process on the target device is required to trigger the vulnerability. Attack complexity (info): The exploit is reliable and condition-free once the attacker is within range, with no race conditions or special memory-layout requirements needed.

What is the impact of CVE-2026-5068?

Corrupts heap memory in the Bluetooth host process, which can redirect execution or alter neighboring allocations in unpredictable ways. Crashes the affected Zephyr device with a fatal error, taking down all services running on it. Reads from nearby heap regions may expose small amounts of in-memory state, such as connection metadata or buffer contents. An attacker with repeated access can chain heap corruption to influence application-level data structures managed by the Bluetooth stack.

Back to search

HIGHCVE-2026-5068Published 2026-06-09Modified 2026-06-09CNA zephyr

CVE-2026-5068: bt: l2cap le coc: remote oob write via seg counter stored in net_buf user_data

A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size smaller than 2 bytes, the segmentation counter stored in the net_buf user_data area is written out of bounds in l2cap_chan_le_recv_seg (subsys/bluetooth/host/l2cap.c). The observed effects are an AddressSanitizer abort and, without ASan, heap corruption / fatal error.

CVSS v3.1: 7.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability affects the Zephyr RTOS Bluetooth host stack, specifically during L2CAP LE Connection-Oriented Channel SDU reassembly. The flaw is reachable over Bluetooth from an adjacent wireless peer with no authentication required, and it allows a remote attacker to corrupt heap memory or trigger a fatal crash. No upstream fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-5068 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Zephyr 4.3.0 or earlier. Any image in a customer registry or CI pipeline carrying an affected Zephyr version will surface as a finding automatically.

Available

Triage

Triage capability is available using the CVSS v3.1 score of 7.6 (HIGH), derived from the published vector, and this score is weighted against each customer environment's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer org based on configured policy rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the Zephyr project ships a fix. In the meantime, customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be within Bluetooth radio range or on an adjacent network segment; this is not exploitable over the public internet.
AuthenticationNot required
No BLE pairing or authentication is needed; any unpaired peer in range can send the malformed L2CAP segments.
Victim interactionNot required
No action by a user or process on the target device is required to trigger the vulnerability.
Attack complexityDetail
The exploit is reliable and condition-free once the attacker is within range, with no race conditions or special memory-layout requirements needed.

Blast Radius

Corrupts heap memory in the Bluetooth host process, which can redirect execution or alter neighboring allocations in unpredictable ways.
Crashes the affected Zephyr device with a fatal error, taking down all services running on it.
Reads from nearby heap regions may expose small amounts of in-memory state, such as connection metadata or buffer contents.
An attacker with repeated access can chain heap corruption to influence application-level data structures managed by the Bluetooth stack.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-5068 is matched against customer images on every scan cycle. Because no upstream fix exists yet, HarborGuard monitors the Zephyr advisory tracker and will make a patched-image rebuild available automatically the moment a fix version is published; for customers with auto-remediation enabled, this triggers a rebuild, regression-test run, and PR against affected workloads without manual intervention. While awaiting a patch, compensating controls worth considering include network-policy isolation to restrict which containers or workloads can reach BLE-exposed services, disabling L2CAP LE CoC segmentation (chan_ops.alloc_buf) in application code where operationally feasible, and ensuring any RX buffer pool is configured with a user_data_size of at least 2 bytes as a short-term mitigation. HarborGuard will surface updated guidance in the finding detail as the advisory progresses.

See how HarborGuard automates this

Affected packages

zephyrproject-rtos / Zephyr
≤ 4.3.0

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

References

github.com

Metrics

Get notified