CVE-2026-10660 - Memory Corruption in Bluetooth BAP Broadcast Assistant
CVE-2026-10660 - Memory Corruption in Bluetooth BAP Broadcast Assistant
CVE-2026-10660 addresses a critical issue concerning a shared reassembly buffer in the Bluetooth BAP Broadcast Assistant. This vulnerability impacts the Bluetooth BAP Broadcast Assistant GATT client located in subsys/bluetooth/audio/bap_broadcast_assistant.c. The component reassembles remote Broadcast Receive State data into a single file-static net_buf_simple (att_buf, BT_ATT_MAX_ATTRIBUTE_LEN = 512 bytes) shared by all connection instances, while the BUSY flag, long-read handle, and reset/offset state are per-connection.
When the device operates as a Broadcast Assistant connected to multiple Scan Delegator peripherals, notifications and long-read callbacks from different connections can interleave on the shared buffer. The append in notify_handler (net_buf_simple_add_mem at the not-busy branch) fails to perform a tailroom check. Consequently, receive-state notifications from two or more delegators can accumulate on the same 512-byte buffer. With a sufficiently large configured ATT MTU (BT_L2CAP_TX_MTU up to 2000) and two to three concurrent connections, this can lead to writes past the buffer into adjacent memory, causing memory corruption and denial of service.
Even below the overflow threshold, one connection’s net_buf_simple_reset can zero the shared length while another connection’s reassembly and GATT read offset are in flight, mixing data from different peers. A malicious or compromised Scan Delegator (or two colluding peers) over BLE can exploit this vulnerability, leading to out-of-bounds writes and cross-connection data corruption.
This issue affects Zephyr releases shipping the Broadcast Assistant with the shared buffer, including v4.4.0 and earlier. The fix involves moving the buffer into the per-connection instance struct, ensuring each connection reassembles into its own buffer.