Parameters are not validated or sanitized, and are later used in various internal operations.
- le_conn_rsp is the function responsible for handling connection response when the BLE device initiated a connection request himself.
- On the response the other device respond its own parameters of the connections:
a. The channel ID it would like to receive data on (CID)
b. The device MTU (Maximum Transmission Unit)
c. The MPS (Maximum PDU size)
- These values are not sanitized at all, and are later in various logical and functional operations
- Because of Vulnerability GHSA-hcc8-3qr7-c9m8 and Vulnerability GHSA-xqj6-vh76-2vv8 we would be able to take advantage of it regardless of whether the device initiates a connection or not!
- Even without those primitives, any request made by the device will make it vulnerable!
- This issue leads to a severe buffer overflow (caused by integer underflow) in the ATT module. For Example (Other examples may exist):
a. The ATT module assumes a minimum bt_att_mtu return value. However, as the value is small an underflow will occur leading to more data pushed.
Patches
For more information
If you have any questions or comments about this advisory:
embargo: 2025-09-05
Parameters are not validated or sanitized, and are later used in various internal operations.
a. The channel ID it would like to receive data on (CID)
b. The device MTU (Maximum Transmission Unit)
c. The MPS (Maximum PDU size)
a. The ATT module assumes a minimum bt_att_mtu return value. However, as the value is small an underflow will occur leading to more data pushed.
Patches
For more information
If you have any questions or comments about this advisory:
embargo: 2025-09-05