CVE-2024-6259 – This vulnerability in Zephyr RTOS's Bluetooth H... (How to Fix)

Q: What is the severity of CVE-2024-6259?

CVE-2024-6259 has a CVSS score of 7.6 (HIGH). This vulnerability in Zephyr RTOS's Bluetooth Host Controller Interface (HCI) allows improper discarding of advertising extension reports, potentially enabling attackers to cause denial of service or memory corruption. It affects systems using Zephyr RTOS with Bluetooth functionality. Embedded IoT devices and Bluetooth-enabled products are primarily impacted.

📋 TL;DR

This vulnerability in Zephyr RTOS's Bluetooth Host Controller Interface (HCI) allows improper discarding of advertising extension reports, potentially enabling attackers to cause denial of service or memory corruption. It affects systems using Zephyr RTOS with Bluetooth functionality. Embedded IoT devices and Bluetooth-enabled products are primarily impacted.

💻 Affected Systems

Products:

Zephyr RTOS

Versions: Versions before v3.7.2

Operating Systems: Zephyr RTOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Bluetooth functionality enabled and using advertising extensions

📦 What is this software?

Zephyr by Zephyrproject

View all CVEs affecting Zephyr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data exfiltration, or permanent device bricking

🟠

Likely Case

Bluetooth stack crashes causing denial of service, requiring device restart

🟢

If Mitigated

Limited impact with proper Bluetooth security controls and network segmentation

🌐 Internet-Facing: MEDIUM - Requires Bluetooth proximity or network access to Bluetooth services

🏢 Internal Only: MEDIUM - Internal Bluetooth-enabled devices could be targeted within radio range

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires Bluetooth access and knowledge of the vulnerability, but no authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.7.2 and later

Vendor Advisory: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p5j7-v26w-wmcp

Restart Required: Yes

Instructions:

1. Update Zephyr RTOS to version 3.7.2 or later. 2. Rebuild and flash the firmware. 3. Restart affected devices.

🔧 Temporary Workarounds

Disable Bluetooth advertising extensions

all

Disable CONFIG_BT_EXT_ADV and CONFIG_BT_PER_ADV_SYNC in Zephyr configuration

CONFIG_BT_EXT_ADV=n
CONFIG_BT_PER_ADV_SYNC=n

Disable Bluetooth entirely

all

Completely disable Bluetooth functionality if not required

CONFIG_BT=n

🧯 If You Can't Patch

Segment Bluetooth devices on isolated networks
Implement physical security controls to limit Bluetooth proximity access

🔍 How to Verify

Check if Vulnerable:

Check Zephyr version with 'west config zephyr.base' and verify if below v3.7.2 with Bluetooth enabled

Check Version:

west config zephyr.base

Verify Fix Applied:

Verify Zephyr version is v3.7.2 or later and check Bluetooth configuration

📡 Detection & Monitoring

Log Indicators:

Bluetooth stack crashes
HCI command failures
Memory allocation errors in Bluetooth subsystem

Network Indicators:

Unusual Bluetooth advertising patterns
Malformed Bluetooth packets targeting HCI

SIEM Query:

source="bluetooth_logs" AND (event="crash" OR event="memory_error") AND subsystem="hci"

📊 Metadata

CVE ID: CVE-2024-6259

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-122

Published: September 13, 2024

Last Updated: September 17, 2025

🔗 References

https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p5j7-v26w-wmcp Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6259, you might also want to check these: