CVE-2026-46138
Analyzed Analyzed - Analysis Complete

Bluetooth OOB Read in Linux Kernel

Vulnerability report for CVE-2026-46138, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-28

Last updated on: 2026-06-24

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held. Fix this by terminating the BIG if in case not all BIS could be setup properly.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-28
Last Modified
2026-06-24
Generated
2026-07-08
AI Q&A
2026-05-28
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.4.16 (inc) to 6.5 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.30 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.88 (exc)
linux linux_kernel From 6.5.3 (inc) to 6.6.140 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The vulnerability has been resolved by fixing the Linux kernel Bluetooth code to properly terminate the BIG if not all BIS could be set up properly.

Therefore, the immediate mitigation step is to update your Linux kernel to a version that includes this fix.

Impact Analysis

This vulnerability can cause the Linux kernel Bluetooth subsystem to enter an infinite loop while holding a device lock, potentially leading to a denial of service (DoS) condition where Bluetooth functionality becomes unresponsive or the system's Bluetooth resources are locked.

Additionally, the out-of-bounds read accesses adjacent heap memory, which could lead to memory corruption or instability in the kernel, further impacting system reliability and security.

Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth subsystem, specifically in the function hci_le_create_big_complete_evt(). The function iterates over BT_BOUND connections for a BIG handle using a while loop, accessing an array ev->bis_handle without checking if the index stays within the valid range ev->num_bis.

If a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than expected or with num_bis set to zero, the loop reads beyond the valid bis_handle array into adjacent heap memory. This out-of-bounds read can cause the connection to remain in a BT_BOUND state and triggers an infinite loop while holding a device lock.

The issue is fixed by terminating the BIG if not all BIS could be set up properly, preventing the out-of-bounds read and infinite loop.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46138. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart