Category

Bluetooth

Security vulnerabilities and automated fixes for bluetooth issues

4 posts found

high7 min

How buffer overflow via strcpy() happens in Nordic BLE C firmware and how to fix it

A high-severity buffer overflow vulnerability was discovered in the Nordic BLE Central Demo firmware, where unsafe `strcpy()` and `sprintf()` calls in the `BleDevDiscovered()` function could allow attackers to overflow stack buffers by sending specially crafted BLE service discovery responses. The fix replaced all unbounded string operations with size-checked `snprintf()` calls, preventing potential remote code execution in embedded Bluetooth devices.

#buffer-overflow#embedded-security#bluetooth+4 more
O
orbisai0security
Jun 27, 2026
critical7 min

How buffer overflow happens in C Bluetooth device handling and how to fix it

A critical buffer overflow vulnerability in `src/wiiuse.c` allowed attackers within Bluetooth range to trigger heap corruption by sending specially crafted HID packets with oversized length values. The fix adds strict bounds checking to validate that data lengths don't exceed buffer capacity before performing memory operations, preventing exploitation by malicious or intercepted Bluetooth devices.

#buffer-overflow#c-security#bluetooth+4 more
O
orbisai0security
Jun 7, 2026
critical8 min

Heap Buffer Overflow in BLE MIDI: How a Missing Bounds Check Opens the Door to Remote Exploitation

A critical heap buffer overflow vulnerability was discovered in the BLE MIDI packet assembly code of `blemidi.c`, where attacker-controlled packet length values could trigger writes beyond allocated heap memory. The fix adds an integer overflow guard before the `malloc` call, ensuring that maliciously crafted BLE MIDI packets can no longer corrupt heap memory. This vulnerability is particularly dangerous because it is remotely exploitable by any nearby Bluetooth device — no physical access requi

#buffer-overflow#embedded-c#bluetooth+4 more
O
orbisai0security
May 28, 2026
critical8 min

Heap Buffer Overflow in BLE Stack: How a Missing Bounds Check Could Let Attackers Crash or Hijack Devices

A critical heap buffer overflow vulnerability was discovered and patched in `ble_spam.c`, where two consecutive `memcpy` calls copied attacker-controlled data into fixed-size heap buffers without validating the copy length first. An attacker within Bluetooth range could exploit this flaw to crash the target device, corrupt memory, or potentially execute arbitrary code — all without any authentication. The fix adds a proper bounds check before the copy operations, ensuring the length derived from

#buffer-overflow#bluetooth#ble+4 more
O
orbisai0security
May 19, 2026