CVE-2026-53255
Received Received - Intake
Buffer Overflow in Linux Kernel Bluetooth MGMT

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate advertising TLV before type checks tlv_data_is_valid() reads each advertising data field length from data[i], then inspects data[i + 1] for managed EIR types before checking that the current field still fits inside the supplied buffer. A malformed field whose length byte is the last byte of the buffer can therefore make the parser read one byte past the advertising data. KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING request reached that path: BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid() Read of size 1 Call trace: tlv_data_is_valid() add_advertising() hci_mgmt_cmd() hci_sock_sendmsg() Move the existing element-length check before any type-octet inspection so each non-empty element is proven to contain its type byte before the parser looks at data[i + 1].
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53255
EUVD
EUVD-2026-39206
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth management code, specifically in the function that validates advertising data fields (TLV - Type Length Value). The function tlv_data_is_valid() reads the length of each advertising data field and then checks the type byte. However, it performs the type check before ensuring the field fits within the buffer, which can cause it to read one byte beyond the buffer if the length byte is the last byte.

This out-of-bounds read can lead to memory safety issues, as detected by KASAN (Kernel Address Sanitizer), which reported a vmalloc-out-of-bounds error when a malformed MGMT_OP_ADD_ADVERTISING request triggered this code path.

The fix involved moving the length check before inspecting the type byte to ensure that each element is fully contained within the buffer before accessing its type.

Impact Analysis

This vulnerability can lead to out-of-bounds memory reads in the Linux kernel Bluetooth management code. Such memory safety issues can potentially be exploited to cause system crashes, denial of service, or possibly escalate privileges depending on the context and further exploitation.

Since it involves kernel memory, exploitation could compromise system stability or security, affecting devices running vulnerable Linux kernels with Bluetooth enabled.

Detection Guidance

This vulnerability involves a buffer over-read in the Bluetooth MGMT advertising data parser in the Linux kernel. Detection would involve monitoring for kernel messages or logs indicating KASAN (Kernel Address Sanitizer) reports related to vmalloc-out-of-bounds reads in the function tlv_data_is_valid().

You can check your system logs (e.g., using dmesg or journalctl) for messages similar to:

  • dmesg | grep -i 'KASAN: vmalloc-out-of-bounds'
  • journalctl -k | grep -i 'tlv_data_is_valid'

Additionally, monitoring Bluetooth management commands or malformed MGMT_OP_ADD_ADVERTISING requests could help detect attempts to exploit this issue, but no specific commands for this are provided.

Mitigation Strategies

The vulnerability has been resolved by moving the element-length check before any type-octet inspection in the Bluetooth MGMT advertising data parser. Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • If updating immediately is not possible, consider disabling Bluetooth management advertising features temporarily to reduce exposure.
  • Monitor system logs for any suspicious KASAN reports or malformed Bluetooth management commands.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53255. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart