{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt\\n\\nhci_le_create_big_complete_evt() iterates over BT_BOUND connections for\\na BIG handle using a while loop, accessing ev-\\u003ebis_handle[i++] on each\\niteration. However, there is no check that i stays within ev-\\u003enum_bis\\nbefore the array access.\\n\\nWhen a controller sends a LE_Create_BIG_Complete event with fewer\\nbis_handle entries than there are BT_BOUND connections for that BIG,\\nor with num_bis=0, the loop reads beyond the valid bis_handle[] flex\\narray into adjacent heap memory. Since the out-of-bounds values\\ntypically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()\\nrejects them and the connection remains in BT_BOUND state. The same\\nconnection is then found again by hci_conn_hash_lookup_big_state(),\\ncreating an infinite loop with hci_dev_lock held.\\n\\nFix this by terminating the BIG if in case not all BIS could be setup\\nproperly.”,”published”:”2026-05-28T09:35:54.467Z”,”modified”:”2026-05-30T10:48:16.091Z”,”type”:”cve”,”title”:”Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/6cb7f67bc28da787499291a562d49a084d9c90cd\\nhttps:\/\/git.kernel.org\/stable\/c\/22559ad7654f61727fc270ee4893da9f4b70cf17\\nhttps:\/\/git.kernel.org\/stable\/c\/77981a507aa0fc001dc37f0dd6631dd2042fed17\\nhttps:\/\/git.kernel.org\/stable\/c\/665da0baaf0396f9ed3c86ccb3955dcd0b73e774\\nhttps:\/\/git.kernel.org\/stable\/c\/5ddb8014261137cadaf83ab5617a588d80a22586″,”id”:”CVE-2026-46138″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux a0bfde167b506423111ddb8cd71930497a40fc54\\nLinux Linux a0bfde167b506423111ddb8cd71930497a40fc54\\nLinux Linux a0bfde167b506423111ddb8cd71930497a40fc54\\nLinux Linux a0bfde167b506423111ddb8cd71930497a40fc54\\nLinux Linux a0bfde167b506423111ddb8cd71930497a40fc54\\nLinux Linux b475c1109251e30ec21fb574d72a1c71a4ab0039\\nLinux Linux 2ccde10127447c1a5caad8469fede945bdb62fdf\\nLinux Linux 6.4.16\\nLinux Linux 6.5.3\\nLinux Linux 6.6″,”sourceHref”:””,”cvss”:{“score”:8.1,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:A\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”a0bfde167b506423111ddb8cd71930497a40fc54″,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt\\n\\nhci_le_create_big_complete_evt() iterates over BT_BOUND connections for\\na BIG…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,52,12,15,13,7,11,5],"class_list":["post-58497","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-81","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n