Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync

hci_le_big_create_sync() uses DEFINE_FLEX to allocate a
struct hci_cp_le_big_create_sync on the stack with room for 0x11 (17)
BIS entries. However, conn->num_bis can hold up to HCI_MAX_ISO_BIS (31)
entries — validated against ISO_MAX_NUM_BIS (0x1f) in the caller
hci_conn_big_create_sync(). When conn->num_bis is between 18 and 31,
the memcpy that copies conn->bis into cp->bis writes up to 14 bytes
past the stack buffer, corrupting adjacent stack memory.

This is trivially reproducible: binding an ISO socket with
bc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() will
eventually trigger hci_le_big_create_sync() from the HCI command
sync worker, causing a KASAN-detectable stack-out-of-bounds write:

BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0
Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71

Fix this by changing the DEFINE_FLEX count from the incorrect 0x11 to
HCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that
conn->bis can actually carry.
Published: 2026-05-01
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack buffer overflow exists within the Linux kernel Bluetooth HCI sync subsystem in the hci_le_big_create_sync function. The function allocates space for 17 Basic ISolated Service entries but can copy up to 31 entries based on the incoming connection, causing an out-of-bounds write that corrupts kernel stack memory. This attack can be triggered from user space by creating a Bluetooth ISO socket with the maximum BIS count and invoking listen(), which results in a KASAN-detectable stack error. Kernel memory corruption of this type can allow an attacker to execute arbitrary code in kernel mode or destabilize the system, potentially granting local privilege escalation or causing a kernel panic.

Affected Systems

Any Linux kernel that includes the Bluetooth HCI sync implementation before the commit that fixed the flex array size is vulnerable. Systems running distribution kernels that incorporate the patch are no longer affected. The vulnerability applies to all kernel versions that contain the vulnerable code path, regardless of specific version numbers as they have not been enumerated in the advisory.

Risk and Exploitability

The flaw can be triggered by a local user who can control a Bluetooth ISO socket. Exploit requires setting the BIS count to the maximum value, after which a stack-out-of-bounds write occurs and KASAN flags a fault. The CVSS score is 7.0, the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed wild-world exploit yet. Nevertheless, the potential for local privilege escalation or denial of service warrants immediate patching.

Generated by OpenCVE AI on May 2, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that incorporates the hci_le_big_create_sync patch.
  • If a kernel update is not yet available, disable the Bluetooth services or unload the Bluetooth kernel modules to remove the vulnerable code path.
  • Enable kernel lockdown or use SELinux/AppArmor confinement to restrict privileged execution and mitigate any residual memory corruption impact.

Generated by OpenCVE AI on May 2, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 01 May 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-787

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync hci_le_big_create_sync() uses DEFINE_FLEX to allocate a struct hci_cp_le_big_create_sync on the stack with room for 0x11 (17) BIS entries. However, conn->num_bis can hold up to HCI_MAX_ISO_BIS (31) entries — validated against ISO_MAX_NUM_BIS (0x1f) in the caller hci_conn_big_create_sync(). When conn->num_bis is between 18 and 31, the memcpy that copies conn->bis into cp->bis writes up to 14 bytes past the stack buffer, corrupting adjacent stack memory. This is trivially reproducible: binding an ISO socket with bc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() will eventually trigger hci_le_big_create_sync() from the HCI command sync worker, causing a KASAN-detectable stack-out-of-bounds write: BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0 Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71 Fix this by changing the DEFINE_FLEX count from the incorrect 0x11 to HCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that conn->bis can actually carry.
Title Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:15:00.582Z

Reserved: 2026-03-09T15:48:24.140Z

Link: CVE-2026-31772

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:40.470

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31772

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31772 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T13:30:43Z

Weaknesses