Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend_CVE-2026-53209

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend

Existing advertising instances can already hold the maximum extended
advertising payload. When hci_adv_bcast_annoucement() prepends the
Broadcast Announcement service data to that payload, the combined data
may no longer fit in the temporary buffer used to rebuild the
advertising data.

Reject that case before copying the existing payload and report the
failure through the device log. This keeps the existing advertising
data intact and avoids overrunning the temporary buffer.

Basic Information

ID CVE-2026-53209

Source Linux

Published Jun 25, 2026 at 08:39

Modified Jun 28, 2026 at 06:40

Affected Product

Vendor Linux

Product Linux

Version 63f365eb4d1668a04070151b555d55a07ede8d4b

Affected Versions Linux Linux 63f365eb4d1668a04070151b555d55a07ede8d4b
Linux Linux c621211b308816889f0a3246de448bfcef8ab3ab
Linux Linux 907ef6e12fb558a0763e894311eb245a94c192dd
Linux Linux 5725bc608252050ed8a4d47d59225b7dd73474c8
Linux Linux 5725bc608252050ed8a4d47d59225b7dd73474c8
Linux Linux 5725bc608252050ed8a4d47d59225b7dd73474c8
Linux Linux 15da883c010cbc2a84aec1738b6ad6ee477846de
Linux Linux 6.1.142
Linux Linux 6.6.94
Linux Linux 6.12.34
Linux Linux 6.15.3
Linux Linux 6.16

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: reject oversized Broadcast Announcement prepend\n\nExisting advertising instances can already hold the maximum extended\nadvertising payload. When hci_adv_bcast_annoucement() prepends the\nBroadcast Announcement service data to that payload, the combined data\nmay no longer fit in the temporary buffer used to rebuild the\nadvertising data.\n\nReject that case before copying the existing payload and report the\nfailure through the device log. This keeps the existing advertising\ndata intact and avoids overrunning the temporary buffer.",
    "published": "2026-06-25T08:39:14.915Z",
    "modified": "2026-06-28T06:40:25.549Z",
    "type": "cve",
    "title": "Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/10b0e832cc05d7aef4b92bed912cbd4a395d0862\nhttps://git.kernel.org/stable/c/1338ee049a8910ba6c9cee963920e978e6893c7d\nhttps://git.kernel.org/stable/c/02f50e8bb69f9b22516163a09922f5537d3b12d1\nhttps://git.kernel.org/stable/c/dafc9f57140e66a10945127aa7433c3d715dc253\nhttps://git.kernel.org/stable/c/cdd8bbdbee763fdf5bf343e6f7d4e79347739f62\nhttps://git.kernel.org/stable/c/5c65b96b549ea2dcfde497436bf9e048deb87758",
    "id": "CVE-2026-53209",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 63f365eb4d1668a04070151b555d55a07ede8d4b\nLinux Linux c621211b308816889f0a3246de448bfcef8ab3ab\nLinux Linux 907ef6e12fb558a0763e894311eb245a94c192dd\nLinux Linux 5725bc608252050ed8a4d47d59225b7dd73474c8\nLinux Linux 5725bc608252050ed8a4d47d59225b7dd73474c8\nLinux Linux 5725bc608252050ed8a4d47d59225b7dd73474c8\nLinux Linux 15da883c010cbc2a84aec1738b6ad6ee477846de\nLinux Linux 6.1.142\nLinux Linux 6.6.94\nLinux Linux 6.12.34\nLinux Linux 6.15.3\nLinux Linux 6.16",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "63f365eb4d1668a04070151b555d55a07ede8d4b",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply