Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

8.1 / 10

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

hci_le_create_big_complete_evt() iterates over BT_BOUND connections for
a BIG handle using a while loop, accessing ev->bis_handle[i++] on each
iteration. However, there is no check that i stays within ev->num_bis
before the array access.

When a controller sends a LE_Create_BIG_Complete event with fewer
bis_handle entries than there are BT_BOUND connections for that BIG,
or with num_bis=0, the loop reads beyond the valid bis_handle[] flex
array into adjacent heap memory. Since the out-of-bounds values
typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()
rejects them and the connection remains in BT_BOUND state. The same
connection is then found again by hci_conn_hash_lookup_big_state(),
creating an infinite loop with hci_dev_lock held.

Fix this by terminating the BIG if in case not all BIS could be setup
properly.

Basic Information

ID CVE-2026-46138

Source Linux

Published May 28, 2026 at 09:35

Modified May 30, 2026 at 10:48

Affected Product

Vendor Linux

Product Linux

Version a0bfde167b506423111ddb8cd71930497a40fc54

Affected Versions Linux Linux a0bfde167b506423111ddb8cd71930497a40fc54
Linux Linux a0bfde167b506423111ddb8cd71930497a40fc54
Linux Linux a0bfde167b506423111ddb8cd71930497a40fc54
Linux Linux a0bfde167b506423111ddb8cd71930497a40fc54
Linux Linux a0bfde167b506423111ddb8cd71930497a40fc54
Linux Linux b475c1109251e30ec21fb574d72a1c71a4ab0039
Linux Linux 2ccde10127447c1a5caad8469fede945bdb62fdf
Linux Linux 6.4.16
Linux Linux 6.5.3
Linux Linux 6.6

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt\n\nhci_le_create_big_complete_evt() iterates over BT_BOUND connections for\na BIG handle using a while loop, accessing ev->bis_handle[i++] on each\niteration.  However, there is no check that i stays within ev->num_bis\nbefore the array access.\n\nWhen a controller sends a LE_Create_BIG_Complete event with fewer\nbis_handle entries than there are BT_BOUND connections for that BIG,\nor with num_bis=0, the loop reads beyond the valid bis_handle[] flex\narray into adjacent heap memory.  Since the out-of-bounds values\ntypically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()\nrejects them and the connection remains in BT_BOUND state.  The same\nconnection is then found again by hci_conn_hash_lookup_big_state(),\ncreating an infinite loop with hci_dev_lock held.\n\nFix this by terminating the BIG if in case not all BIS could be setup\nproperly.",
    "published": "2026-05-28T09:35:54.467Z",
    "modified": "2026-05-30T10:48:16.091Z",
    "type": "cve",
    "title": "Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/6cb7f67bc28da787499291a562d49a084d9c90cd\nhttps://git.kernel.org/stable/c/22559ad7654f61727fc270ee4893da9f4b70cf17\nhttps://git.kernel.org/stable/c/77981a507aa0fc001dc37f0dd6631dd2042fed17\nhttps://git.kernel.org/stable/c/665da0baaf0396f9ed3c86ccb3955dcd0b73e774\nhttps://git.kernel.org/stable/c/5ddb8014261137cadaf83ab5617a588d80a22586",
    "id": "CVE-2026-46138",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux a0bfde167b506423111ddb8cd71930497a40fc54\nLinux Linux a0bfde167b506423111ddb8cd71930497a40fc54\nLinux Linux a0bfde167b506423111ddb8cd71930497a40fc54\nLinux Linux a0bfde167b506423111ddb8cd71930497a40fc54\nLinux Linux a0bfde167b506423111ddb8cd71930497a40fc54\nLinux Linux b475c1109251e30ec21fb574d72a1c71a4ab0039\nLinux Linux 2ccde10127447c1a5caad8469fede945bdb62fdf\nLinux Linux 6.4.16\nLinux Linux 6.5.3\nLinux Linux 6.6",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "a0bfde167b506423111ddb8cd71930497a40fc54",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt_CVE-2026-46138

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply