zephyrproject zephyr up to 4.4.x hfp_hf.c cind_handle ind_table[] out-of-bounds write

Summaryinfo

A vulnerability has been found in zephyrproject zephyr up to 4.4.x and classified as critical. The impacted element is the function cind_handle of the file subsys/bluetooth/host/classic/hfp_hf.c. This manipulation of the argument ind_table[] causes out-of-bounds write. This vulnerability appears as CVE-2026-10641. The attacker needs to be present on the local network. There is no available exploit. The affected component should be upgraded.

Detailsinfo

A vulnerability has been found in zephyrproject zephyr up to 4.4.x and classified as critical. Affected by this vulnerability is the function cind_handle of the file subsys/bluetooth/host/classic/hfp_hf.c. The manipulation of the argument ind_table[] with an unknown input leads to a out-of-bounds write vulnerability. The CWE definition for the vulnerability is CWE-787. The product writes data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a per-entry counter index and calls cind_handle_values() for each list element. cind_handle_values() then wrote hf-ind_table[index] = i without verifying that index is within the 20-element int8_t ind_table[] array of struct bt_hfp_hf. Because the parser places no cap on the number of +CIND: list entries, a remote Attendant Gateway (a malicious, compromised, or spoofed peer the device connects to over Bluetooth) can send a response with more than 20 recognized indicator entries and drive index arbitrarily large, writing a small attacker-positioned value past the array into adjacent struct fields (feature masks, SDP/version state, the calls[] array, work/atomic bookkeeping) and potentially beyond the static connection pool slot. This yields memory corruption and at least denial of service of the Bluetooth host, triggered by a single malformed AT response with no user interaction. The sibling consumer ag_indicator_handle_values() already performed the equivalent bounds check; this commit adds the same index = ARRAY_SIZE(hf-ind_table) guard to close the gap. Affects builds with CONFIG_BT_HFP_HF enabled; introduced with the original HFP HF CIND parser (~v1.7) and present through v4.4.0.

It is possible to read the advisory at github.com. This vulnerability is known as CVE-2026-10641 since 06/02/2026. The exploitation appears to be easy. The attack needs to be done within the local network. The exploitation doesn't need any form of authentication. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 4.5.0 eliminates this vulnerability. Applying the patch cf7693a8261ae363c9cf46cfd51005486637173e is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-37702). Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Project Management Software

Vendor

• zephyrproject

Name

• zephyr

Version

• 4.0
• 4.1
• 4.2
• 4.3
• 4.4

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion