CVE-2026-46138
Received Received - Intake
Bluetooth OOB Read in Linux Kernel

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held. Fix this by terminating the BIG if in case not all BIS could be setup properly.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46138
EUVD
EUVD-2026-32765
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by fixing the Linux kernel Bluetooth code to properly terminate the BIG if not all BIS could be set up properly.

Therefore, the immediate mitigation step is to update your Linux kernel to a version that includes this fix.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel Bluetooth subsystem to enter an infinite loop while holding a device lock, potentially leading to a denial of service (DoS) condition where Bluetooth functionality becomes unresponsive or the system's Bluetooth resources are locked.

Additionally, the out-of-bounds read accesses adjacent heap memory, which could lead to memory corruption or instability in the kernel, further impacting system reliability and security.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's Bluetooth subsystem, specifically in the function hci_le_create_big_complete_evt(). The function iterates over BT_BOUND connections for a BIG handle using a while loop, accessing an array ev->bis_handle without checking if the index stays within the valid range ev->num_bis.

If a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than expected or with num_bis set to zero, the loop reads beyond the valid bis_handle array into adjacent heap memory. This out-of-bounds read can cause the connection to remain in a BT_BOUND state and triggers an infinite loop while holding a device lock.

The issue is fixed by terminating the BIG if not all BIS could be set up properly, preventing the out-of-bounds read and infinite loop.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart