‭There is a potential OOB write in the gen_prov_cont function of the
pb_adv.c file. This‬ ‭vulnerability occurs because the seg variable,
which is user-controlled, is used to compute the‬ ‭offset where data is
copied into. However, an integer underflow and overflow invalidates
its‬ ‭validation.

• ‭ seg is computed from rx->gpc in‬‭ https://github.com/zephyrprojectrtos/zephyr/blob/main/subsys/bluetooth/mesh/pb_adv.c#L483‭.‬
• ‭There is a validation in https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/pb_adv.c#L536 ‬‭that the offset‬‭computed from seg ((20 + ((seg - 1) * 23)))‬ and the length of data does not overflow the receiver buffer.‬
• However, if seg = 0, the computation will yield an offset of 253‬
  • ‭seg - 1 underflows, yielding 255‬
  • 255 * 23 overflows multiple times, yielding 233‬
  • ‭233 + 20 yields 253‬
• If buf->len has a value greater than 2, then adding it to 253 overflows, yielding a number‬
  ‭that is potentially less than RX_BUFFER_MAX (65).‬
• ‭Finally, the computed offset is used to compute the destination address of the memcpy‬
  ‭in‬‭line https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/pb_adv.c#541‬‭. This can cause a large out-of-bound write‬‭in the rx.buf->data array.‬

‭Potential Impact‬

‭An out-of-bound write can lead to an arbitrary code execution. This is more severe in real-time‬
‭operating systems like Zephyr that run in embedded devices without common memory‬
‭protection systems. Even on devices with some form of memory protection, this can still lead to‬
‭a crash and a resultant denial of service.‬

Patches

main: #95061
4.2: #97518
4.1: #97517

For more information

If you have any questions or comments about this advisory:

• Open an issue in zephyr
• Email us at Zephyr-vulnerabilities

embargo: 2025-11-24