Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-46138
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-28 10:16:29 UTC
Updated2026-05-30 11:17:23 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held. Fix this by terminating the BIG if in case not all BIS could be setup properly.

Risk And Classification

Primary CVSS: v3.1 8.1 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS: 0.000180000 probability, percentile 0.051640000 (date 2026-05-29)

VersionSourceTypeScoreSeverityVector
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary8.1HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
3.1CNADECLARED8.1HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CVSS v3.1 Breakdown

Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected a0bfde167b506423111ddb8cd71930497a40fc54 6cb7f67bc28da787499291a562d49a084d9c90cd git Not specified
CNA Linux Linux affected a0bfde167b506423111ddb8cd71930497a40fc54 22559ad7654f61727fc270ee4893da9f4b70cf17 git Not specified
CNA Linux Linux affected a0bfde167b506423111ddb8cd71930497a40fc54 77981a507aa0fc001dc37f0dd6631dd2042fed17 git Not specified
CNA Linux Linux affected a0bfde167b506423111ddb8cd71930497a40fc54 665da0baaf0396f9ed3c86ccb3955dcd0b73e774 git Not specified
CNA Linux Linux affected a0bfde167b506423111ddb8cd71930497a40fc54 5ddb8014261137cadaf83ab5617a588d80a22586 git Not specified
CNA Linux Linux affected b475c1109251e30ec21fb574d72a1c71a4ab0039 git Not specified
CNA Linux Linux affected 2ccde10127447c1a5caad8469fede945bdb62fdf git Not specified
CNA Linux Linux affected 6.4.16 6.5 semver Not specified
CNA Linux Linux affected 6.5.3 6.6 semver Not specified
CNA Linux Linux affected 6.6 Not specified
CNA Linux Linux unaffected 6.6 semver Not specified
CNA Linux Linux unaffected 6.6.140 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.88 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.30 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.7 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1-rc3 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/5ddb8014261137cadaf83ab5617a588d80a22586 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/77981a507aa0fc001dc37f0dd6631dd2042fed17 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/6cb7f67bc28da787499291a562d49a084d9c90cd 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/22559ad7654f61727fc270ee4893da9f4b70cf17 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/665da0baaf0396f9ed3c86ccb3955dcd0b73e774 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report