CVE-2026-53209
Received Received - Intake
Bluetooth Stack Buffer Overflow in Linux Kernel

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend Existing advertising instances can already hold the maximum extended advertising payload. When hci_adv_bcast_annoucement() prepends the Broadcast Announcement service data to that payload, the combined data may no longer fit in the temporary buffer used to rebuild the advertising data. Reject that case before copying the existing payload and report the failure through the device log. This keeps the existing advertising data intact and avoids overrunning the temporary buffer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53209
EUVD
EUVD-2026-39300
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth component, specifically in the hci_sync function related to Broadcast Announcement data handling.

The issue arises when existing advertising instances already hold the maximum extended advertising payload size. When the function hci_adv_bcast_annoucement() attempts to prepend Broadcast Announcement service data to this payload, the combined data may exceed the size of the temporary buffer used to rebuild the advertising data.

This buffer overflow risk is mitigated by rejecting cases where the combined data would not fit, thereby preserving the existing advertising data and avoiding overrunning the temporary buffer.

Impact Analysis

If exploited, this vulnerability could cause a buffer overflow in the Bluetooth advertising data handling process within the Linux kernel.

Such a buffer overflow might lead to instability or crashes in the Bluetooth subsystem, potentially causing denial of service or unexpected behavior in devices relying on Bluetooth advertising.

However, the fix implemented rejects oversized Broadcast Announcement prepends before copying data, preventing buffer overruns and maintaining system stability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53209. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart