目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2026-10654— Zephyr Bluetooth Classic RFCOMM会话断开竞态漏洞

CVSS 3.1 · Low EPSS 0.12% · P2

影响版本矩阵 1

厂商产品版本范围状态
zephyrprojectzephyr1.6.0< 4.5.0affected
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-10654 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
RFCOMM session-disconnect race leaks session/L2CAP and denies further RFCOMM service in Zephyr Bluetooth Classic
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
A race condition in the Zephyr Bluetooth Classic RFCOMM host stack (subsys/bluetooth/host/classic/rfcomm.c) mishandles a simultaneous bidirectional session disconnect. When the local device has initiated a session teardown (state BT_RFCOMM_STATE_DISCONNECTING, DISC sent, RTX timer armed) and the connected peer concurrently sends its own DISC frame for dlci 0, rfcomm_handle_disc() invokes rfcomm_session_disconnected(), which unconditionally forced the session to BT_RFCOMM_STATE_DISCONNECTED without ever calling bt_l2cap_chan_disconnect(). Because the recovery timer was also cancelled and a later UA is ignored in the DISCONNECTED state, the session becomes permanently wedged: the underlying L2CAP channel is never released and the session slot in the fixed bt_rfcomm_pool[CONFIG_BT_MAX_CONN] array is never reclaimed (its conn pointer stays set). Subsequent bt_rfcomm_dlc_connect() calls on that connection fail with -EINVAL due to the invalid session state, so RFCOMM service is denied for that peer, and repeated occurrences can exhaust the session pool. The DISC frame is peer-controlled over the air, but exploitation requires the peer's DISC to collide with a local-initiated disconnect (a high-complexity timing race). Impact is availability/resource-leak only; there is no memory-safety, confidentiality, or integrity consequence. The defect shipped in released versions (present in v4.4.0 and earlier). The fix only transitions to DISCONNECTED when the session is not already in DISCONNECTING, preserving the proper L2CAP teardown path.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
使用共享资源的并发执行不恰当同步问题(竞争条件)
来源: 美国国家漏洞数据库 NVD

受影响产品

厂商产品影响版本CPE订阅
zephyrprojectzephyr 1.6.0 ~ 4.5.0 -

二、漏洞 CVE-2026-10654 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-10654 的情报信息

登录查看更多情报信息。

CVE-2026-10654 补丁与修复 (1)

CVE-2026-10654 厂商安全公告 (1)

同批安全公告 · zephyrproject · 2026-06-30 · 共 5 条

CVE-2026-92636.5 MEDIUM蓝牙控制器ISOAL内存泄漏漏洞
CVE-2026-106556.5 MEDIUMSNTP异步客户端关闭socket时的use-after-free竞争漏洞
CVE-2026-106536.4 MEDIUMnet_buf引用计数非原子操作导致并发未引用时双重释放/列表损坏漏洞
CVE-2026-106524.8 MEDIUMZephyr DNS 解析器越界读取漏洞

IV. Related Vulnerabilities

V. Comments for CVE-2026-10654

暂无评论


发表评论