CVE-2026-31772
Analyzed Analyzed - Analysis Complete
Stack Buffer Overflow in Linux Kernel Bluetooth

Publication date: 2026-05-01

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync hci_le_big_create_sync() uses DEFINE_FLEX to allocate a struct hci_cp_le_big_create_sync on the stack with room for 0x11 (17) BIS entries. However, conn->num_bis can hold up to HCI_MAX_ISO_BIS (31) entries β€” validated against ISO_MAX_NUM_BIS (0x1f) in the caller hci_conn_big_create_sync(). When conn->num_bis is between 18 and 31, the memcpy that copies conn->bis into cp->bis writes up to 14 bytes past the stack buffer, corrupting adjacent stack memory. This is trivially reproducible: binding an ISO socket with bc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() will eventually trigger hci_le_big_create_sync() from the HCI command sync worker, causing a KASAN-detectable stack-out-of-bounds write: BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0 Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71 Fix this by changing the DEFINE_FLEX count from the incorrect 0x11 to HCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that conn->bis can actually carry.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31772
EUVD
EUVD-2026-26585
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.11.11 (inc) to 6.12 (exc)
linux linux_kernel 6.13
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.13.1 (inc) to 6.18.22 (exc)
linux linux_kernel From 6.12.2 (inc) to 6.12.81 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth component, specifically in the function hci_le_big_create_sync. The function allocates a stack buffer sized for 17 BIS entries, but the actual number of BIS entries (conn->num_bis) can be up to 31. When the number of BIS entries is between 18 and 31, a memcpy operation copies more data than the allocated buffer can hold, causing a stack buffer overflow and corrupting adjacent stack memory.

This overflow is reproducible by binding an ISO socket with the maximum number of BIS entries (31) and calling listen(), which triggers the vulnerable function and results in a detectable stack-out-of-bounds write.

The fix involved changing the buffer allocation size to match the maximum number of BIS entries, preventing the overflow.

Impact Analysis

This vulnerability can lead to stack memory corruption in the Linux kernel's Bluetooth subsystem. Such memory corruption can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Because the overflow occurs in kernel space, exploitation could compromise the entire system's security, leading to denial of service or privilege escalation.

Detection Guidance

This vulnerability is detectable by triggering the condition that causes the stack buffer overflow in the Bluetooth hci_le_big_create_sync function. Specifically, binding an ISO socket with bc_num_bis set to ISO_MAX_NUM_BIS (31) and calling listen() will eventually trigger the vulnerable function, causing a KASAN-detectable stack-out-of-bounds write.

Detection can be done by monitoring kernel logs for KASAN (Kernel Address Sanitizer) reports indicating a stack-out-of-bounds write in hci_le_big_create_sync, such as messages like: "BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0".

While no specific commands are provided in the context, a possible approach to detect this vulnerability is to attempt to reproduce the issue by running code or commands that bind an ISO socket with bc_num_bis=31 and call listen(), then monitor dmesg or kernel logs for KASAN errors.

Mitigation Strategies

The vulnerability is fixed by changing the allocation size in the hci_le_big_create_sync function from 0x11 (17) to HCI_MAX_ISO_BIS (31), which matches the maximum number of BIS entries.

Immediate mitigation steps include updating the Linux kernel to a version that contains this fix.

Until the kernel is updated, avoid triggering the vulnerable code path by not binding ISO sockets with bc_num_bis set to values between 18 and 31.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31772. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart