CVE-2025-9558 in Zephyr
Summary
by MITRE • 11/26/2025
There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/27/2025
The vulnerability identified as CVE-2025-9558 represents a critical out-of-bounds write condition within the Bluetooth low energy provisioning process implementation. This flaw exists in the gen_prov_start function located in the pb_adv.c source file, which handles provisioning advertisements during Bluetooth mesh network setup operations. The vulnerability stems from inadequate input validation mechanisms that fail to properly verify the size of incoming data packets before attempting to copy them into the designated receiver buffer. This fundamental oversight creates a pathway for malicious actors to potentially overwrite adjacent memory regions, leading to unpredictable system behavior and potential exploitation.
The technical implementation of this vulnerability demonstrates a classic buffer overflow scenario where the system assumes all incoming data will conform to expected parameters without proper bounds checking. When the provisioning advertisement data is received, the implementation directly copies the entire data payload into link.rx.buf without validating whether the data length exceeds the allocated buffer capacity. This primitive approach to data handling violates fundamental secure coding practices and creates an attack surface where an attacker can craft malicious advertisement packets with oversized data payloads. The vulnerability operates at the application layer of the Bluetooth mesh protocol stack, specifically affecting the provisioning phase where device authentication and network configuration occur.
From an operational impact perspective, this vulnerability presents significant security implications for Bluetooth mesh networks that rely on proper provisioning mechanisms. An attacker capable of injecting malicious provisioning advertisements could potentially execute arbitrary code execution, cause system crashes, or disrupt network operations entirely. The attack vector requires proximity to the target device and the ability to intercept or inject Bluetooth mesh provisioning traffic, which aligns with the ATT&CK technique T1059.007 for command and scripting interpreter execution. The vulnerability affects the integrity and availability of mesh network provisioning processes, potentially allowing unauthorized devices to join networks or cause denial of service conditions. According to CWE-121, this represents a classic stack-based buffer overflow condition that can be exploited to manipulate program execution flow.
The mitigation strategies for CVE-2025-9558 should focus on implementing robust input validation mechanisms within the provisioning advertisement handling code. The primary fix involves adding explicit size validation checks before any data copying operations occur, ensuring that the received data length does not exceed the allocated buffer size. Additionally, developers should implement bounds checking using standard secure coding practices such as those recommended by the CERT Secure Coding Standards. Network administrators should consider implementing monitoring solutions to detect anomalous provisioning advertisement patterns and establish proper access controls for mesh network provisioning interfaces. The vulnerability highlights the importance of adhering to the principle of least privilege in Bluetooth mesh implementations and demonstrates the necessity of comprehensive input validation across all network protocol layers. Organizations should also review their Bluetooth mesh network configurations to ensure proper authentication mechanisms are in place to prevent unauthorized provisioning operations.