CVE-2026-31772
Stack Buffer Overflow in Linux Kernel Bluetooth
Publication date: 2026-05-01
Last updated on: 2026-05-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's Bluetooth component, specifically in the function hci_le_big_create_sync. The function allocates a stack buffer sized for 17 BIS entries, but the actual number of BIS entries (conn->num_bis) can be up to 31. When the number of BIS entries is between 18 and 31, a memcpy operation copies more data than the allocated buffer can hold, causing a stack buffer overflow and corrupting adjacent stack memory.
This overflow is reproducible by binding an ISO socket with the maximum number of BIS entries (31) and calling listen(), which triggers the vulnerable function and results in a detectable stack-out-of-bounds write.
The fix involved changing the buffer allocation size to match the maximum number of BIS entries, preventing the overflow.
How can this vulnerability impact me? :
This vulnerability can lead to stack memory corruption in the Linux kernel's Bluetooth subsystem. Such memory corruption can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.
Because the overflow occurs in kernel space, exploitation could compromise the entire system's security, leading to denial of service or privilege escalation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is detectable by triggering the condition that causes the stack buffer overflow in the Bluetooth hci_le_big_create_sync function. Specifically, binding an ISO socket with bc_num_bis set to ISO_MAX_NUM_BIS (31) and calling listen() will eventually trigger the vulnerable function, causing a KASAN-detectable stack-out-of-bounds write.
Detection can be done by monitoring kernel logs for KASAN (Kernel Address Sanitizer) reports indicating a stack-out-of-bounds write in hci_le_big_create_sync, such as messages like: "BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0".
While no specific commands are provided in the context, a possible approach to detect this vulnerability is to attempt to reproduce the issue by running code or commands that bind an ISO socket with bc_num_bis=31 and call listen(), then monitor dmesg or kernel logs for KASAN errors.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by changing the allocation size in the hci_le_big_create_sync function from 0x11 (17) to HCI_MAX_ISO_BIS (31), which matches the maximum number of BIS entries.
Immediate mitigation steps include updating the Linux kernel to a version that contains this fix.
Until the kernel is updated, avoid triggering the vulnerable code path by not binding ISO sockets with bc_num_bis set to values between 18 and 31.