CVE-2026-46138 (GCVE-0-2026-46138)

Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-05-28 09:35
VLAI
Title
Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
Summary
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held. Fix this by terminating the BIG if in case not all BIS could be setup properly.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: a0bfde167b506423111ddb8cd71930497a40fc54 , < 6cb7f67bc28da787499291a562d49a084d9c90cd (git)
Affected: a0bfde167b506423111ddb8cd71930497a40fc54 , < 22559ad7654f61727fc270ee4893da9f4b70cf17 (git)
Affected: a0bfde167b506423111ddb8cd71930497a40fc54 , < 77981a507aa0fc001dc37f0dd6631dd2042fed17 (git)
Affected: a0bfde167b506423111ddb8cd71930497a40fc54 , < 665da0baaf0396f9ed3c86ccb3955dcd0b73e774 (git)
Affected: a0bfde167b506423111ddb8cd71930497a40fc54 , < 5ddb8014261137cadaf83ab5617a588d80a22586 (git)
Affected: b475c1109251e30ec21fb574d72a1c71a4ab0039 (git)
Affected: 2ccde10127447c1a5caad8469fede945bdb62fdf (git)
Affected: 6.4.16 , < 6.5 (semver)
Affected: 6.5.3 , < 6.6 (semver)
Create a notification for this product.
Linux Linux Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.6.140 , ≤ 6.6.* (semver)
Unaffected: 6.12.88 , ≤ 6.12.* (semver)
Unaffected: 6.18.30 , ≤ 6.18.* (semver)
Unaffected: 7.0.7 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6cb7f67bc28da787499291a562d49a084d9c90cd",
              "status": "affected",
              "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
              "versionType": "git"
            },
            {
              "lessThan": "22559ad7654f61727fc270ee4893da9f4b70cf17",
              "status": "affected",
              "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
              "versionType": "git"
            },
            {
              "lessThan": "77981a507aa0fc001dc37f0dd6631dd2042fed17",
              "status": "affected",
              "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
              "versionType": "git"
            },
            {
              "lessThan": "665da0baaf0396f9ed3c86ccb3955dcd0b73e774",
              "status": "affected",
              "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
              "versionType": "git"
            },
            {
              "lessThan": "5ddb8014261137cadaf83ab5617a588d80a22586",
              "status": "affected",
              "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b475c1109251e30ec21fb574d72a1c71a4ab0039",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2ccde10127447c1a5caad8469fede945bdb62fdf",
              "versionType": "git"
            },
            {
              "lessThan": "6.5",
              "status": "affected",
              "version": "6.4.16",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6",
              "status": "affected",
              "version": "6.5.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc3",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt\n\nhci_le_create_big_complete_evt() iterates over BT_BOUND connections for\na BIG handle using a while loop, accessing ev-\u003ebis_handle[i++] on each\niteration.  However, there is no check that i stays within ev-\u003enum_bis\nbefore the array access.\n\nWhen a controller sends a LE_Create_BIG_Complete event with fewer\nbis_handle entries than there are BT_BOUND connections for that BIG,\nor with num_bis=0, the loop reads beyond the valid bis_handle[] flex\narray into adjacent heap memory.  Since the out-of-bounds values\ntypically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()\nrejects them and the connection remains in BT_BOUND state.  The same\nconnection is then found again by hci_conn_hash_lookup_big_state(),\ncreating an infinite loop with hci_dev_lock held.\n\nFix this by terminating the BIG if in case not all BIS could be setup\nproperly."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T09:35:54.467Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6cb7f67bc28da787499291a562d49a084d9c90cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/22559ad7654f61727fc270ee4893da9f4b70cf17"
        },
        {
          "url": "https://git.kernel.org/stable/c/77981a507aa0fc001dc37f0dd6631dd2042fed17"
        },
        {
          "url": "https://git.kernel.org/stable/c/665da0baaf0396f9ed3c86ccb3955dcd0b73e774"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ddb8014261137cadaf83ab5617a588d80a22586"
        }
      ],
      "title": "Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46138",
    "datePublished": "2026-05-28T09:35:54.467Z",
    "dateReserved": "2026-05-13T15:03:33.100Z",
    "dateUpdated": "2026-05-28T09:35:54.467Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46138",
      "date": "2026-05-29",
      "epss": "0.00018",
      "percentile": "0.05164"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46138\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-28T10:16:29.357\",\"lastModified\":\"2026-05-28T13:44:01.663\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt\\n\\nhci_le_create_big_complete_evt() iterates over BT_BOUND connections for\\na BIG handle using a while loop, accessing ev-\u003ebis_handle[i++] on each\\niteration.  However, there is no check that i stays within ev-\u003enum_bis\\nbefore the array access.\\n\\nWhen a controller sends a LE_Create_BIG_Complete event with fewer\\nbis_handle entries than there are BT_BOUND connections for that BIG,\\nor with num_bis=0, the loop reads beyond the valid bis_handle[] flex\\narray into adjacent heap memory.  Since the out-of-bounds values\\ntypically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()\\nrejects them and the connection remains in BT_BOUND state.  The same\\nconnection is then found again by hci_conn_hash_lookup_big_state(),\\ncreating an infinite loop with hci_dev_lock held.\\n\\nFix this by terminating the BIG if in case not all BIS could be setup\\nproperly.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/22559ad7654f61727fc270ee4893da9f4b70cf17\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5ddb8014261137cadaf83ab5617a588d80a22586\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/665da0baaf0396f9ed3c86ccb3955dcd0b73e774\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6cb7f67bc28da787499291a562d49a084d9c90cd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/77981a507aa0fc001dc37f0dd6631dd2042fed17\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.