CVE-2026-46123 - Vulnerability Details

- Bluetooth: virtio_bt: clamp rx length before skb_put

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: virtio_bt: clamp rx length before skb_put

virtbt_rx_work() calls skb_put(skb, len) where len comes directly
from virtqueue_get_buf() with no validation against the buffer we
posted to the device. The RX skb is allocated in virtbt_add_inbuf()
and exposed to virtio as exactly 1000 bytes via sg_init_one().

Checking len against skb_tailroom(skb) is not sufficient because
alloc_skb() can leave more tailroom than the 1000 bytes actually
handed to the device. A malicious or buggy backend can therefore
report used.len between 1001 and skb_tailroom(skb), causing skb_put()
to include uninitialized kernel heap bytes that were never written by
the device.

The same path also accepts len == 0, in which case skb_put(skb, 0)
leaves the skb empty but virtbt_rx_handle() still reads the pkt_type
byte from skb->data, consuming uninitialized memory.

Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and
sg_init_one(), and gate virtbt_rx_work() on that same constant so
the bound checked matches the buffer actually exposed to the device.
Reject used.len == 0 in the same gate so an empty completion can
no longer reach virtbt_rx_handle().

Use bt_dev_err_ratelimited() because the length value comes from an
untrusted backend that can otherwise flood the kernel log.

Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
overflow in USB transport layer"), which hardened the USB 9p
transport against unchecked device-reported length.

Published: 2026-05-28

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the virtio_bt driver, where the length of data reported by a virtqueue backend is used directly to expand a socket buffer without sufficient validation. An attacker could craft a backend response with a length exceeding the 1000‑byte buffer actually allocated for the packet, leading the kernel to write uninitialized memory into the heap. If the length reported is zero, the driver still reads a packet type byte from uninitialized data, potentially exposing sensitive kernel information or contributing to a crash. Mutating kernel memory or leaking data are the primary consequences, which could enable privilege elevation or stability degradation.

Affected Systems

All Linux kernel variants that include the virtio_bt Bluetooth driver, without specific version restrictions indicated. The issue impacts the Bluetooth subsystem of virtualized environments where the virtio_bt backend is enabled.

Risk and Exploitability

The CVSS score is not supplied, but the nature of an unchecked buffer length gives this flaw a high severity. Exploitability requires control over or interaction with the virtqueue backend; it is therefore considered a local or device‑authenticated attack. No EPSS data is available, and the flaw is not listed in CISA’s KEV catalog. The practical attack vector likely involves a compromised or malicious Bluetooth backend or a bug in virtual device firmware. Because the flaw writes to the kernel heap, successful exploitation could lead to a kernel panic or arbitrary code execution at the system level.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`160fbcf3bfb93c3c086427f9f4c8bc70f217e9be`	affected	< ed41c81d30b211a671667259c3b5feeba0e062d5
`160fbcf3bfb93c3c086427f9f4c8bc70f217e9be`	affected	< 6c1730099a6fc18b183bd6c1adad3b54adcaeda9
`160fbcf3bfb93c3c086427f9f4c8bc70f217e9be`	affected	< b40cdd1b1370d76e9e760af4490cb4a351cceead
`160fbcf3bfb93c3c086427f9f4c8bc70f217e9be`	affected	< e6b4296f170d949ebba937cf6a3f247ec9550d2c
`160fbcf3bfb93c3c086427f9f4c8bc70f217e9be`	affected	< 21bd244b6de5d2fe1063c23acc93fbdd2b20d112
`cf2719a21fdb9d4c8e9c834d279163609bef575d`	affected	—
`9b67438e315b925a699f0178f4a48baf3d2d6ef4`	affected	—
`5.15.78`	affected	< 5.16
`6.0.8`	affected	< 6.1

Linux

affected

Version	Status	Constraints
`6.1`	affected	—
`0`	unaffected	< 6.1
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc3`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[160fbcf3bfb93c3c086427f9f4c8bc70f217e9be,ed41c81d30b211a671667259c3b5feeba0e062d5)`	affected	code_commit	—
`[160fbcf3bfb93c3c086427f9f4c8bc70f217e9be,6c1730099a6fc18b183bd6c1adad3b54adcaeda9)`	affected	code_commit	—
`[160fbcf3bfb93c3c086427f9f4c8bc70f217e9be,b40cdd1b1370d76e9e760af4490cb4a351cceead)`	affected	code_commit	—
`[160fbcf3bfb93c3c086427f9f4c8bc70f217e9be,e6b4296f170d949ebba937cf6a3f247ec9550d2c)`	affected	code_commit	—
`[160fbcf3bfb93c3c086427f9f4c8bc70f217e9be,21bd244b6de5d2fe1063c23acc93fbdd2b20d112)`	affected	code_commit	—
`cf2719a21fdb9d4c8e9c834d279163609bef575d`	affected	code_commit	—
`9b67438e315b925a699f0178f4a48baf3d2d6ef4`	affected	code_commit	—
`[5.15.78,5.16)`	affected	semver	—
`[6.0.8,6.1)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.1`	affected	semver	—
`[0,6.1)`	unaffected	semver	—
`[6.6.140,7.0.0)`	unaffected	semver	—
`[6.12.88,6.13.0)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,7.1.0)`	unaffected	semver	—
`[7.1-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a kernel release that includes the commit fixing the virtio_bt length validation.
If an update cannot be applied immediately, disable the virtio_bt driver or Bluetooth support in the affected virtual machines until the patch is available.
If control over the virtio backend is possible, enforce strict length checks and reject any reported lengths greater than the buffer size or equal to zero.
Configure kernel log filtering to rate limit messages originating from virtio_bt to prevent log flooding.

Generated by OpenCVE AI on May 28, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/21bd244b6de5d2fe1063c23acc93fbdd2b20d112
https://git.kernel.org/stable/c/6c1730099a6fc18b183bd6c1adad3b54adcaeda9
https://git.kernel.org/stable/c/b40cdd1b1370d76e9e760af4490cb4a351cceead
https://git.kernel.org/stable/c/e6b4296f170d949ebba937cf6a3f247ec9550d2c
https://git.kernel.org/stable/c/ed41c81d30b211a671667259c3b5feeba0e062d5

History

Thu, 28 May 2026 11:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: virtio_bt: clamp rx length before skb_put virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one(). Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device. The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory. Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle(). Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log. Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer overflow in USB transport layer"), which hardened the USB 9p transport against unchecked device-reported length.
Title		Bluetooth: virtio_bt: clamp rx length before skb_put
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/21bd244b6de5d2fe1063c23acc93fbdd2b20d112 https://git.kernel.org/stable/c/6c1730099a6fc18b183bd6c1adad3b54adcaeda9 https://git.kernel.org/stable/c/b40cdd1b1370d76e9e760af4490cb4a351cceead https://git.kernel.org/stable/c/e6b4296f170d949ebba937cf6a3f247ec9550d2c https://git.kernel.org/stable/c/ed41c81d30b211a671667259c3b5feeba0e062d5

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:35:38.003Z

Updated: 2026-05-28T09:35:38.003Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46123

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-28T10:16:27.810

Modified: 2026-05-28T10:16:27.810

Link: CVE-2026-46123

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T12:30:16Z

Weaknesses

CWE-119

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object