Apache Mynewt security advisories
Security information for Apache Mynewt
Reporting
Do you want disclose a potential security issue for Apache Mynewt? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Incorrect handling of SMP Security Request could lead to undesirable pairing
CVE-2025-62235 [CVE] [CVE json] [OSV json]
Last updated: 2026-01-10T09:42:36.935Z
Affected
- Apache Mynewt NimBLE through 1.8.0
Description
Authentication Bypass by Spoofing vulnerability in Apache NimBLE.
Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor.This issue affects Apache NimBLE: through 1.8.0.
Users are recommended to upgrade to version 1.9.0, which fixes the issue.
References
- https://github.com/apache/mynewt-nimble/commit/41f67e391e788c5feef9030026cc5cbc5431838a
- https://lists.apache.org/thread/rw2mrpfwb9d9wmq4h4b6ctcd6gpkk2ho
Credits
- Tommaso Sacchetti tommaso.sacchetti@gmail.com (reporter)
NULL Pointer Dereference in NimBLE host HCI layer
CVE-2025-53477 [CVE] [CVE json] [OSV json]
Last updated: 2026-01-10T09:45:08.352Z
Affected
- Apache Mynewt NimBLE through 1.8.0
Description
NULL Pointer Dereference vulnerability in Apache Nimble.
Missing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference.This issue requires disabled asserts and broken or bogus Bluetooth controller and thus severity is considered low.
This issue affects Apache NimBLE: through 1.8.0.
Users are recommended to upgrade to version 1.9.0, which fixes the issue.
References
- https://github.com/apache/mynewt-nimble/commit/0caf9baeb271ede85fcc5237ab87ddbf938600da
- https://github.com/apache/mynewt-nimble/commit/3160b8c4c7ff8db4e0f9badcdf7df684b151e077
- https://lists.apache.org/thread/1dxthc132hwm2tzvjblrtnschcsbw2vo
Credits
- 雷重庆 leicq@seu.edu.cn (reporter)
Out-of-Bounds Write Vulnerability in NimBLE HCI H4 driver
CVE-2025-53470 [CVE] [CVE json] [OSV json]
Last updated: 2026-01-10T09:46:32.072Z
Affected
- Apache Mynewt NimBLE through 1.8
Description
Out-of-bounds Read vulnerability in Apache NimBLE HCI H4 driver. Specially crafted HCI event could lead to invalid memory read in H4 driver.
This issue affects Apache NimBLE: through 1.8.
This issue requires a broken or bogus Bluetooth controller and thus severity is considered low.
Users are recommended to upgrade to version 1.9, which fixes the issue.
References
- https://github.com/apache/mynewt-nimble/commit/b973df0c6cf7b30efbf8eb2cafdc1ee843464b76
- https://lists.apache.org/thread/32sm0944dyod4sdql77stgyw9xb2msc0
Credits
- 雷重庆 leicq@seu.edu.cn (reporter)
Invalid error handling in pause encryption procedure in NimBLE controller
CVE-2025-52435 [CVE] [CVE json] [OSV json]
Last updated: 2026-01-10T09:47:08.833Z
Affected
- Apache Mynewt NimBLE through 1.8.0
Description
J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE.
Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange.This issue affects Apache NimBLE: through <= 1.8.0.
Users are recommended to upgrade to version 1.9.0, which fixes the issue.
References
- https://github.com/apache/mynewt-nimble/commit/164f1c23c18a290908df76ed83fe848bfe4a4903
- https://github.com/apache/mynewt-nimble/commit/ec3d75e909fa6dcadf1836fefc4432794a673d18
- https://lists.apache.org/thread/ow8dzpsqfh9llfclh5fzh6z237brzc0s
Credits
- Henrik Schnor henrik.schnor@mailbox.org (reporter)
Lack of input sanitization leading to out-of-bound reads in Number of Completed Packets HCI event handler
CVE-2024-51569 [CVE] [CVE json] [OSV json]
Last updated: 2024-12-06T07:50:42.419Z
Affected
- Apache NimBLE through 1.7.0
Description
Out-of-bounds Read vulnerability in Apache NimBLE.
Missing proper validation of HCI Number Of Completed Packets could lead to out-of-bound access when parsing HCI event and invalid read from HCI transport memory.This issue requires broken or bogus Bluetooth controller and thus severity is considered low.
This issue affects Apache NimBLE: through 1.7.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
References
- https://lists.apache.org/thread/q0vs5rddx1lho30xnpsrvpzgxqmywnhs
- https://github.com/apache/mynewt-nimble/commit/4e3ac5b6e7c7df63a594c4ff6839e266b4ccfed9
Credits
- Eunkyu Lee (reporter)
Lack of input validation in HCI advertising report could lead to potential out-of-bound access
CVE-2024-47250 [CVE] [CVE json] [OSV json]
Last updated: 2024-12-06T07:50:00.629Z
Affected
- Apache NimBLE through 1.7.0
Description
Out-of-bounds Read vulnerability in Apache NimBLE.
Missing proper validation of HCI advertising report could lead to out-of-bound access when parsing HCI event and thus bogus GAP 'device found' events being sent.This issue requires broken or bogus Bluetooth controller and thus severity is considered low.
This issue affects Apache NimBLE: through 1.7.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
References
- https://lists.apache.org/thread/zdb50spojlqbn0yxd866mbzqjt2vpt85
- https://github.com/apache/mynewt-nimble/commit/3b7a32ea09a3bffaab831ee0ab193a2375fc4df6
- https://github.com/apache/mynewt-nimble/commit/23d61150ddae4bc8356356d7ef09d816fb89da45
Credits
- Eunkyu Lee (reporter)
Lack of input sanitization leading to out-of-bound reads in multiple advertisement handler
CVE-2024-47249 [CVE] [CVE json] [OSV json]
Last updated: 2024-12-06T07:49:57.242Z
Affected
- Apache NimBLE through 1.7.0
Description
Improper Validation of Array Index vulnerability in Apache NimBLE.
Lack of input validation for HCI events from controller could result in out-of-bound memory corruption and crash.This issue requires broken or bogus Bluetooth controller and thus severity is considered low.
This issue affects Apache NimBLE: through 1.7.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
References
- https://lists.apache.org/thread/7ckxw6481dp68ons627pjcb27c75n0mq
- https://github.com/apache/mynewt-nimble/commit/f39330866a85fa4de49246e9d21334bc8d14f0a1
Credits
- Eunkyu Lee (reporter)
Buffer overflow in NimBLE MESH Bluetooth stack
CVE-2024-47248 [CVE] [CVE json] [OSV json]
Last updated: 2024-12-06T07:39:45.067Z
Affected
- Apache NimBLE through 1.7.0
Description
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Apache NimBLE.
Specially crafted MESH message could result in memory corruption when non-default build configuration is used.This issue affects Apache NimBLE: through 1.7.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
References
- https://lists.apache.org/thread/z8m7jqh54xybf9kz8q2l3tz92zsj7tmz
- https://github.com/apache/mynewt-nimble/commit/4f75c0b3b466186beff40e8489870c6cee076aaa
Credits
- Wei Che Kao (Xiaobye), graduate student from National Yang Ming Chiao Tung University, Dept. of CS, Security and Systems Lab. (reporter)
Denial of service in NimBLE Bluetooth stack
CVE-2024-24746 [CVE] [CVE json] [OSV json]
Last updated: 2024-04-10T07:39:33.115Z
Affected
- Apache NimBLE through 1.6.0
Description
Loop with Unreachable Exit Condition (‘Infinite Loop’) vulnerability in Apache NimBLE.
Specially crafted GATT operation can cause infinite loop in GATT server leading to denial of service in Bluetooth stack or device.
This issue affects Apache NimBLE: through 1.6.0.
Users are recommended to upgrade to version 1.7.0, which fixes the issue.
References
- https://lists.apache.org/thread/bptkzc0o2ymjk8qqzqdmy39kcmh27078
- https://github.com/apache/mynewt-nimble/commit/d42a0ebe6632bd0c318560e4293a522634f60594
Credits
- Baptiste Boyer from Quarkslab Vulnerability Reports team (reporter)