CVE-2025-9558 Overview
CVE-2025-9558 is an out-of-bounds write vulnerability in the gen_prov_start function within pb_adv.c, part of the Zephyr RTOS Bluetooth Mesh provisioning stack. The function copies the full length of received provisioning data into the link.rx.buf receiver buffer without validating the data size. An attacker within Bluetooth radio range can send a crafted PB-ADV provisioning PDU to trigger memory corruption on a target device. The flaw is classified under [CWE-120] (Classic Buffer Copy without Checking Size of Input). Exploitation can lead to denial of service or potential code execution on embedded devices running vulnerable Zephyr builds.
Critical Impact
A single malformed Bluetooth Mesh provisioning PDU can corrupt heap or stack memory on a Zephyr device, leading to a crash or potential arbitrary code execution from the adjacent network.
Affected Products
- Zephyr RTOS Bluetooth Mesh stack
- subsys/bluetooth/mesh/pb_adv.c implementations of gen_prov_start
- Embedded and IoT devices shipping with vulnerable Zephyr versions
Discovery Timeline
- 2025-11-26 - CVE-2025-9558 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-9558
Vulnerability Analysis
The vulnerability resides in the PB-ADV (Provisioning Bearer over Advertising) handler of the Zephyr Bluetooth Mesh subsystem. When a provisioning link is being established, gen_prov_start processes the initial fragment of a segmented provisioning PDU. The function copies the received payload into link.rx.buf based on the attacker-controlled length field of the incoming frame. Because no bounds check compares this length against the fixed capacity of link.rx.buf, an oversized fragment writes past the end of the buffer. The attacker must be within Bluetooth radio range, which limits remote reach but does not require authentication or user interaction. Successful exploitation can corrupt adjacent kernel structures, leading to device crash, persistent denial of service, or hijacked control flow on devices without memory protection.
Root Cause
The root cause is missing input validation on the segment length field before invoking the buffer copy operation in gen_prov_start. The receiver buffer link.rx.buf has a fixed compile-time size, but the code trusts the length advertised in the provisioning PDU. This is a textbook classic buffer overflow pattern tracked as [CWE-120].
Attack Vector
An unauthenticated attacker within Bluetooth Low Energy advertising range crafts a malicious PB-ADV provisioning PDU with an oversized initial fragment. The target device must be in an unprovisioned, provisionable state where it accepts PB-ADV link open requests. Upon processing the malformed Transaction Start PDU, gen_prov_start writes attacker-supplied bytes beyond the bounds of link.rx.buf, corrupting adjacent memory regions.
No verified public proof-of-concept code is available. Technical details are documented in the Zephyr GitHub Security Advisory GHSA-8wvr-688x-68vr.
Detection Methods for CVE-2025-9558
Indicators of Compromise
- Unexpected reboots, kernel panics, or fault handler traces on Zephyr devices with Bluetooth Mesh enabled
- Repeated PB-ADV link open or Transaction Start PDUs originating from unknown Bluetooth source addresses
- Provisioning failures or aborted transactions logged by the Bluetooth Mesh subsystem
Detection Strategies
- Audit firmware builds for the affected pb_adv.c revision and confirm whether the gen_prov_start patch is present
- Enable Zephyr fault handlers and crash dump collection to capture stack traces consistent with buffer overruns in the Bluetooth Mesh stack
- Deploy Bluetooth sniffers in sensitive environments to capture PB-ADV traffic and flag PDUs with abnormal length fields
Monitoring Recommendations
- Centralize device crash logs and watchdog reset events from fleets of Zephyr-based IoT devices for anomaly analysis
- Monitor provisioning activity windows and alert on unexpected PB-ADV traffic outside of authorized commissioning workflows
- Track firmware version inventory to identify devices still running pre-patch Zephyr builds
How to Mitigate CVE-2025-9558
Immediate Actions Required
- Inventory all Zephyr-based devices that enable Bluetooth Mesh provisioning and identify the Zephyr version in use
- Upgrade to a Zephyr release containing the fix referenced in GHSA-8wvr-688x-68vr
- Disable Bluetooth Mesh provisioning on devices that do not require it, or keep devices out of provisionable state when not actively commissioning
Patch Information
Apply the fix shipped by the Zephyr Project as described in the Zephyr GitHub Security Advisory GHSA-8wvr-688x-68vr. The patch adds size validation in gen_prov_start before data is copied into link.rx.buf. Rebuild and reflash affected firmware images, then verify the new version on each device.
Workarounds
- Restrict commissioning windows so devices only accept PB-ADV traffic for a short, supervised interval
- Provision devices in a Faraday-shielded environment to prevent reception of malicious adjacent Bluetooth traffic
- Where feasible, use PB-GATT provisioning over an authenticated channel instead of unauthenticated PB-ADV
# Configuration example - disable PB-ADV provisioning in Zephyr prj.conf if not required
CONFIG_BT_MESH_PB_ADV=n
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

