CVE-2021-3436: 
NixOS vulnerability analysis and mitigation

CVE-2021-3436 affects Zephyr versions >= 1.14.2, >= 2.4.0, and >= 2.5.0, involving a vulnerability in Bluetooth key distribution. The issue was discovered and disclosed on October 5, 2021, where it was possible to overwrite an existing bond during the keys distribution phase when the identity address of the bond is known (Zephyr Advisory).

The vulnerability is classified as Use of Multiple Resources with Duplicate Identifier (CWE-694). During the distribution of identity address information, the system fails to check for an existing bond with the same identity address. This creates a duplicate entry in RAM while the newest entry overwrites the existing one in persistent storage. The vulnerability has a CVSS v3.1 base score of 6.5 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) according to NVD, while Zephyr Project assessed it as 4.3 MEDIUM (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) (NVD).

When exploited, the vulnerability allows successful pairing but future reconnections likely pick the wrong keys entry, leading to MIC failure during encryption setup. After device reboot, only the newest bond information exists, with the authentication and security level of the newest bond, preventing security elevation (Zephyr Advisory).

The vulnerability has been patched in multiple versions: version 2.6.0 (master fix #33266), version 2.5.1-rc1 (fix #33432), and unreleased fixes for versions 2.4 (#33433) and 1.14 (#33718) (Zephyr Advisory).