Note: lists.zephyrproject.org will be down for maintenance on Monday, September 26th, starting at 9AM Pacific Time (4PM Monday September 26, 2022 UTC), for approximately one hour.
TL;DR: Zephyr is unlikely to be vulnerable
As some of you are probably aware, a set of vulnerabilities affecting almost all Bluetooth stacks have been found. These vulnerabilities have been given the name BlueBorne.
With the exception of Apple LE Audio and SMP, the vulnerable spots affect implementations of the Classic (BR/EDR) protocols. No hardware capable of Bluetooth Classic is supported by Zephyr.
Quoting Johan Hedberg:
The issue in SMP that was found in Android doesn't occur with
Linux and Zephyr since we don't care about bonding vs
no-bonding when deciding whether to fire off a "Confirm
Pairing" callback to the user.
For the L2CAP config option issue found in Linux, it seems we
don't have any issue in Zephyr since we only support a single
configuration option and the parsing is done in a different
For SDP, the bug in BlueZ looks like something less likely to
occur in other implementations (it's essentially accessing
data and only then checking the length). Luiz [von Dentz] is
looking at that in our Zephyr SDP code nevertheless.
There were also some issues with BNEP in Android, however we
don't have BNEP support in Zephyr.
If the review of our SDP code ends up finding an issue, an advisory (alongside a CVE identifier) will be made after a point release is made with the fix.