CVE-2026-46186
Analyzed Analyzed - Analysis Complete
Bluetooth: virtio_bt Kernel Buffer Overflow Vulnerability

Publication date: 2026-05-28

Last updated on: 2026-06-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: virtio_bt: validate rx pkt_type header length virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type. After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core. After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path. Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-11
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46186
EUVD
EUVD-2026-32813
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.1
linux linux_kernel 6.1
linux linux_kernel 6.1
linux linux_kernel 6.1
linux linux_kernel 6.1
linux linux_kernel 6.1
linux linux_kernel From 6.0.8 (inc) to 6.1 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.30 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.88 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 5.15.78 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.1.1 (inc) to 6.1.175 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-908 The product uses or accesses a resource that has not been initialized.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth virtio_bt driver. The function virtbt_rx_handle() reads a packet type byte from incoming data and forwards the rest to another function without verifying that the remaining data is large enough to contain the expected header for that packet type.

Because the driver does not check the length of the remaining payload against the required header size for each packet type, it can end up passing incomplete or uninitialized data to the core Bluetooth stack. This can cause the system to read uninitialized memory, which may lead to undefined behavior.

The fix involves validating that the remaining payload length after removing the packet type byte is at least the fixed header size required for that packet type before processing it further. If the length is insufficient, the packet is dropped with a rate-limited error message.

Impact Analysis

This vulnerability can cause the Linux kernel Bluetooth driver to read uninitialized memory when processing certain Bluetooth packets. This may lead to unpredictable behavior such as system instability, crashes, or potential information leakage from uninitialized memory.

Because the vulnerability involves handling data from an untrusted backend, it could be exploited to cause denial of service or potentially expose sensitive kernel memory contents.

Mitigation Strategies

The vulnerability has been resolved by a patch in the Linux kernel that validates the RX packet type header length in the virtio_bt driver.

Immediate mitigation involves updating the Linux kernel to a version that includes this patch, which ensures that the skb length is checked against the minimum HCI header size for each packet type before processing.

This patch drops packets that do not meet the minimum length requirement in a rate-limited manner to prevent kernel log flooding.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46186. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart