Skip to content

Bluetooth: peripheral: Invalid handling of malformed connection request

Moderate
ceolin published GHSA-8hrf-pfww-83v9 Nov 7, 2025

Package

Zephyr (zephyr)

Affected versions

<=4.1.0

Patched versions

None

Description

Dear Zephyr developer, please find bellow the details of the vulnerability found on the Zephyr implantation of Bluetooth peripheral with latest zephyr OS version v4.1.0-3070-g91dfa23f80ee.

Short Description

Zephyr version: v4.1.0-3070-g91dfa23f80ee
Board: nrf52840DK
Discovered by: Zewen Shang Asset Research Group

Vulnerability Impact:
After the attack, the peripheral crash and will not be connectable. The peripheral will not send advertisements, thus no central can connect to it.

Summary of Relevant Files in This Report

Crash_Video/ble_vul2.mp4
This video shows that the crash is reproducible
Crash_Log/Crash_log_Vul2
Which contains the serial log for the crash

Detailed Description

In order to trigger this crash, the attacker only need to send the malformed Connection Request with the interval set to be 1 (which supposed to be illegal)and the chM to be 0x7CFFFFFFFF.
packet raw bytes: 7083329a9c9a17020100010000006400ffffffff7c05
(the Init_A and AdvA and the nordic sniff header was not included since different device has different address)

Issue: Re-connection is not possible after attack

After the malformed connection request was sent, the peripheral will show connected at the first time then crash with ZEPHYR FATAL ERROR 3: Kernel oops on CPU. The detailed error log could be found bellow. Finally, the peripheral stop adverting hence the no central can connect to the peripheral again.
the full error log from serial port monitor could be founded bellow:

<break>
*** Booting Zephyr OS build v4.1.0-3070-g91dfa23f80ee ***
[00:00:00.258,758] <0x1b>[0m<inf> fs_nvs: 8 Sectors of 4096 bytes<0x1b>[0m
[00:00:00.258,758] <0x1b>[0m<inf> fs_nvs: alloc wra: 0, f98<0x1b>[0m
[00:00:00.258,758] <0x1b>[0m<inf> fs_nvs: data wra: 0, 8c<0x1b>[0m
[00:00:00.260,650] <0x1b>[0m<inf> bt_hci_core: HW Platform: Nordic Semiconductor (0x0002)<0x1b>[0m
[00:00:00.260,681] <0x1b>[0m<inf> bt_hci_core: HW Variant: nRF52x (0x0002)<0x1b>[0m
[00:00:00.260,711] <0x1b>[0m<inf> bt_hci_core: Firmware: Standard Bluetooth controller (0x00) Version 4.1 Build 99<0x1b>[0m
[00:00:00.260,986] <0x1b>[0m<inf> bt_hci_core: No ID address. App must call settings_load()<0x1b>[0m
Bluetooth initialized
[00:00:00.261,596] <0x1b>[0m<inf> bt_hci_core: Identity: F6:0C:F4:D2:52:EA (random)<0x1b>[0m
[00:00:00.261,627] <0x1b>[0m<inf> bt_hci_core: HCI: version 5.4 (0x0d) revision 0x0000, manufacturer 0x05f1<0x1b>[0m
[00:00:00.261,657] <0x1b>[0m<inf> bt_hci_core: LMP: version 5.4 (0x0d) subver 0xffff<0x1b>[0m
Advertising successfully started
Indicate VND attr 0x2b33c (UUID 12345678-1234-5678-1234-56789abcdef1)
Updated MTU: TX: 23 RX: 23 bytes
Connected
ASSERTION FAIL [0] @ WEST_TOPDIR/zephyr/subsys/bluetooth/controller/ll_sw/nordic/lll/lll_peripheral.c:342
	prepare_cb: Actual EVENT_OVERHEAD_START_US = 305
[00:00:36.868,804] <0x1b>[1;31m<err> os: r0/a1:  0x00000003  r1/a2:  0x00000000  r2/a3:  0x00000004<0x1b>[0m
[00:00:36.868,835] <0x1b>[1;31m<err> os: r3/a4:  0x00000003 r12/ip:  0x00000010 r14/lr:  0x00001f3f<0x1b>[0m
[00:00:36.868,835] <0x1b>[1;31m<err> os:  xpsr:  0x01000011<0x1b>[0m
[00:00:36.868,835] <0x1b>[1;31m<err> os: Faulting instruction address (r15/pc): 0x00001f4e<0x1b>[0m
[00:00:36.868,896] <0x1b>[1;31m<err> os: >>> ZEPHYR FATAL ERROR 3: Kernel oops on CPU 0<0x1b>[0m
[00:00:36.868,896] <0x1b>[1;31m<err> os: Fault during interrupt handling
<0x1b>[0m
[00:00:36.868,927] <0x1b>[1;31m<err> os: Current thread: 0x20001b40 (unknown)<0x1b>[0m
[00:00:36.939,239] <0x1b>[1;31m<err> os: Halting system<0x1b>[0m

Patches

main: #89955

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2025-12890

Weaknesses

Improper Check or Handling of Exceptional Conditions

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. Learn more on MITRE.

Credits