Bluetooth: virtio_bt: clamp rx length before skb_put_CVE-2026-46123

7.7 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: virtio_bt: clamp rx length before skb_put

virtbt_rx_work() calls skb_put(skb, len) where len comes directly
from virtqueue_get_buf() with no validation against the buffer we
posted to the device. The RX skb is allocated in virtbt_add_inbuf()
and exposed to virtio as exactly 1000 bytes via sg_init_one().

Checking len against skb_tailroom(skb) is not sufficient because
alloc_skb() can leave more tailroom than the 1000 bytes actually
handed to the device. A malicious or buggy backend can therefore
report used.len between 1001 and skb_tailroom(skb), causing skb_put()
to include uninitialized kernel heap bytes that were never written by
the device.

The same path also accepts len == 0, in which case skb_put(skb, 0)
leaves the skb empty but virtbt_rx_handle() still reads the pkt_type
byte from skb->data, consuming uninitialized memory.

Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and
sg_init_one(), and gate virtbt_rx_work() on that same constant so
the bound checked matches the buffer actually exposed to the device.
Reject used.len == 0 in the same gate so an empty completion can
no longer reach virtbt_rx_handle().

Use bt_dev_err_ratelimited() because the length value comes from an
untrusted backend that can otherwise flood the kernel log.

Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
overflow in USB transport layer"), which hardened the USB 9p
transport against unchecked device-reported length.

Basic Information

ID CVE-2026-46123

Source Linux

Published May 28, 2026 at 09:35

Modified May 30, 2026 at 10:48

Affected Product

Vendor Linux

Product Linux

Version 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be

Affected Versions Linux Linux 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Linux Linux 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Linux Linux 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Linux Linux 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Linux Linux 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be
Linux Linux cf2719a21fdb9d4c8e9c834d279163609bef575d
Linux Linux 9b67438e315b925a699f0178f4a48baf3d2d6ef4
Linux Linux 5.15.78
Linux Linux 6.0.8
Linux Linux 6.1

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: virtio_bt: clamp rx length before skb_put\n\nvirtbt_rx_work() calls skb_put(skb, len) where len comes directly\nfrom virtqueue_get_buf() with no validation against the buffer we\nposted to the device. The RX skb is allocated in virtbt_add_inbuf()\nand exposed to virtio as exactly 1000 bytes via sg_init_one().\n\nChecking len against skb_tailroom(skb) is not sufficient because\nalloc_skb() can leave more tailroom than the 1000 bytes actually\nhanded to the device. A malicious or buggy backend can therefore\nreport used.len between 1001 and skb_tailroom(skb), causing skb_put()\nto include uninitialized kernel heap bytes that were never written by\nthe device.\n\nThe same path also accepts len == 0, in which case skb_put(skb, 0)\nleaves the skb empty but virtbt_rx_handle() still reads the pkt_type\nbyte from skb->data, consuming uninitialized memory.\n\nDefine VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and\nsg_init_one(), and gate virtbt_rx_work() on that same constant so\nthe bound checked matches the buffer actually exposed to the device.\nReject used.len == 0 in the same gate so an empty completion can\nno longer reach virtbt_rx_handle().\n\nUse bt_dev_err_ratelimited() because the length value comes from an\nuntrusted backend that can otherwise flood the kernel log.\n\nSame class of bug as commit c04db81cd028 (\"net/9p: Fix buffer\noverflow in USB transport layer\"), which hardened the USB 9p\ntransport against unchecked device-reported length.",
    "published": "2026-05-28T09:35:38.003Z",
    "modified": "2026-05-30T10:48:01.376Z",
    "type": "cve",
    "title": "Bluetooth: virtio_bt: clamp rx length before skb_put",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/ed41c81d30b211a671667259c3b5feeba0e062d5\nhttps://git.kernel.org/stable/c/6c1730099a6fc18b183bd6c1adad3b54adcaeda9\nhttps://git.kernel.org/stable/c/b40cdd1b1370d76e9e760af4490cb4a351cceead\nhttps://git.kernel.org/stable/c/e6b4296f170d949ebba937cf6a3f247ec9550d2c\nhttps://git.kernel.org/stable/c/21bd244b6de5d2fe1063c23acc93fbdd2b20d112",
    "id": "CVE-2026-46123",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be\nLinux Linux 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be\nLinux Linux 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be\nLinux Linux 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be\nLinux Linux 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be\nLinux Linux cf2719a21fdb9d4c8e9c834d279163609bef575d\nLinux Linux 9b67438e315b925a699f0178f4a48baf3d2d6ef4\nLinux Linux 5.15.78\nLinux Linux 6.0.8\nLinux Linux 6.1",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "160fbcf3bfb93c3c086427f9f4c8bc70f217e9be",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply