Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync

CVE	CVE-2026-31772
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-01 15:16:40 UTC
Updated	2026-05-03 07:16:20 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync hci_le_big_create_sync() uses DEFINE_FLEX to allocate a struct hci_cp_le_big_create_sync on the stack with room for 0x11 (17) BIS entries. However, conn->num_bis can hold up to HCI_MAX_ISO_BIS (31) entries — validated against ISO_MAX_NUM_BIS (0x1f) in the caller hci_conn_big_create_sync(). When conn->num_bis is between 18 and 31, the memcpy that copies conn->bis into cp->bis writes up to 14 bytes past the stack buffer, corrupting adjacent stack memory. This is trivially reproducible: binding an ISO socket with bc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() will eventually trigger hci_le_big_create_sync() from the HCI command sync worker, causing a KASAN-detectable stack-out-of-bounds write: BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0 Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71 Fix this by changing the DEFINE_FLEX count from the incorrect 0x11 to HCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that conn->bis can actually carry.

Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000180000 probability, percentile 0.046600000 (date 2026-05-02)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	CNA	DECLARED	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 91d19383b7ed035e22165ae5c836e50bb9f95fbe f5d446624345d309e7a4a1b27ea9f028d6a8c5d9 git	Not specified
CNA	Linux	Linux	affected 42ecf1947135110ea08abeaca39741636f9a2285 aba0aea354015794e8312dd7efe726967e58aefe git	Not specified
CNA	Linux	Linux	affected 42ecf1947135110ea08abeaca39741636f9a2285 eaf32002ca7b1ba51c9f140991fd9febe6de79f0 git	Not specified
CNA	Linux	Linux	affected 42ecf1947135110ea08abeaca39741636f9a2285 bc39a094730ce062fa034a529c93147c096cb488 git	Not specified
CNA	Linux	Linux	affected 8958e1cee4e2eac1a5b825caa4dd96ce9ed975dd git	Not specified
CNA	Linux	Linux	affected 6.13	Not specified
CNA	Linux	Linux	unaffected 6.13 semver	Not specified
CNA	Linux	Linux	unaffected 6.12.81 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.22 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.12 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/aba0aea354015794e8312dd7efe726967e58aefe	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/f5d446624345d309e7a4a1b27ea9f028d6a8c5d9	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/bc39a094730ce062fa034a529c93147c096cb488	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/eaf32002ca7b1ba51c9f140991fd9febe6de79f0	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.