LiveActive security incident?Get immediate response
CVE Record

CVE-2026-10660: Shared reassembly buffer in Bluetooth BAP Broadcast Assistant enables cross-connection memory corruption

The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bap_broadcast_assistant.c reassembled remote Broadcast Receive State data into a single file-static net_buf_simple (att_buf, BT_ATT_MAX_ATTRIBUTE_LEN = 512 bytes) shared by all connection instances, while the BUSY flag, long-read handle, and reset/offset state were per-connection. When the device acts as a Broadcast Assistant connected to multiple Scan Delegator peripherals, notification and long-read callbacks from different connections interleave on the shared buffer: the append in notify_handler (net_buf_simple_add_mem at the not-busy branch) performs no tailroom check, so receive-state notifications from two or more delegators accumulate on the same 512-byte buffer and, with a sufficiently large configured ATT MTU (BT_L2CAP_TX_MTU up to 2000) and two-to-three concurrent connections, write past the buffer into adjacent .bss (net_buf_simple_add only asserts in debug builds). Even below the overflow threshold, one connection's net_buf_simple_reset zeroes the shared length while another connection's reassembly and GATT read offset are in flight, mixing one peer's data into another's parse. A malicious or compromised Scan Delegator (or two colluding peers) over BLE can trigger this, causing out-of-bounds writes (memory corruption / denial of service) and cross-connection data corruption. The fix moves the buffer into the per-connection instance struct so each connection reassembles into its own buffer. Affects Zephyr releases shipping the Broadcast Assistant with the shared buffer, including v4.4.0 and earlier.

MediumCVSS 6.4Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2026-10660 affects Zephyr devices acting as Bluetooth BAP Broadcast Assistants. Multiple connected BLE Scan Delegators can interfere with one shared reassembly buffer, causing memory corruption, denial of service, or mixed peer data. The advisory reports a patch, but there is no evidence of active exploitation in the provided sources.

Executive priority

Prioritize assessment for Bluetooth audio or LE Audio products using Zephyr. This is not internet-reachable and has high attack complexity, but successful exploitation can disrupt devices or corrupt memory, which matters for safety, availability, and field reliability.

Technical view

The Broadcast Assistant GATT client used one file-static 512-byte net_buf_simple for all connections while tracking busy, offset, and reset state per connection. Interleaved notification and long-read callbacks can append without a tailroom check or reset another connection's buffer state, causing out-of-bounds writes and cross-connection parsing corruption.

Likely exposure

Exposure is most likely in embedded products running Zephyr with Bluetooth audio Broadcast Assistant functionality enabled and connected to multiple Scan Delegator peripherals. The bundle says releases shipping the shared buffer are affected, including v4.4.0 and earlier, but its affected-version metadata only lists Zephyr 3.6.0, so version scope should be verified against the advisory.

Exploitation context

The attacker must be within BLE range and operate a malicious or compromised Scan Delegator, or coordinate multiple peers. The CVSS vector is adjacent network, high complexity, no privileges, and no user interaction. The source bundle marks KEV false and provides no cited evidence of exploitation in the wild.

Researcher notes

Focus validation on concurrent connection behavior in the Broadcast Assistant GATT client. The key flaw is state separation failure: per-connection control state with a global data buffer. Avoid assuming broader Zephyr Bluetooth impact without source confirmation. The provided version data is incomplete or inconsistent and should be reconciled with upstream GHSA metadata.

Mitigation direction

  • Apply the Zephyr fix commit or update to a vendor release containing it.
  • Track GHSA-73c7-3rh7-v5p9 for official fixed-version and backport guidance.
  • Disable Broadcast Assistant functionality where the product does not require it.
  • For downstream firmware, request vendor confirmation that the per-connection buffer fix is included.

Validation and detection

  • Inventory products using Zephyr Bluetooth audio Broadcast Assistant code.
  • Check whether bap_broadcast_assistant.c uses a shared file-static reassembly buffer.
  • Confirm patched builds move the receive-state buffer into per-connection instance state.
  • Review BLE configurations involving multiple Scan Delegator connections and large ATT MTU values.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-787: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-10660 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.4 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
3Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.4CVSS 3.1MediumCVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H1.64.7zephyr

Vulnerability scoring details

Base CVSS 3.1 score

6.4Medium
CVSS 3.1 vector shape for CVE-2026-10660Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
zephyrprojectzephyrzephyr, 3.6.0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-787 · source CWE mapping

Out-of-bounds Write

Out-of-bounds Write represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.