Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

hci_le_create_big_complete_evt() iterates over BT_BOUND connections for
a BIG handle using a while loop, accessing ev->bis_handle[i++] on each
iteration. However, there is no check that i stays within ev->num_bis
before the array access.

When a controller sends a LE_Create_BIG_Complete event with fewer
bis_handle entries than there are BT_BOUND connections for that BIG,
or with num_bis=0, the loop reads beyond the valid bis_handle[] flex
array into adjacent heap memory. Since the out-of-bounds values
typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()
rejects them and the connection remains in BT_BOUND state. The same
connection is then found again by hci_conn_hash_lookup_big_state(),
creating an infinite loop with hci_dev_lock held.

Fix this by terminating the BIG if in case not all BIS could be setup
properly.
Published: 2026-05-28
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the Linux‑kernel Bluetooth stack where the hci_le_create_big_complete_evt routine iterates over an array of BIS handles without checking that the index stays within the declared number of BIS entries. When a controller sends a LE_Create_BIG_Complete event with fewer BIS handles than reported, the code reads beyond the end of the flex array, producing out‑of‑bounds values that are rejected by the connection routine yet leave the connection in a bound state. This triggers an endless loop that keeps the HCI device lock held, causing the kernel to become unresponsive and potentially leading to a system crash or restart. The result is a classic denial‑of‑service that can starve all processes that rely on the Bluetooth stack.

Affected Systems

All Linux kernel releases that contain the unpatched hci_le_create_big_complete_evt implementation are affected; no specific version ranges are supplied in the advisory, so the flaw applies to both current and legacy kernels that process LE_Create_BIG_Complete events. The vulnerability is referenced in multiple kernel patch commits linked in the advisory.

Risk and Exploitability

No CVSS score is provided and the EPSS metric is unavailable, but the bug can be triggered by a malicious Bluetooth controller that sends a crafted LE_Create_BIG_Complete packet. The attack does not require elevated privileges; it exploits the kernel's handling of a short array and can be delivered over a wireless Bluetooth connection. Because the resulting infinite loop holds a critical lock, the impact is high, yielding a denial of service to the host and all kernel operations. Although the vulnerability is not listed in CISA’s KEV catalog, the moderate complexity of the exploit and the prevalence of Bluetooth interfaces make it potentially widely exploitable.

Generated by OpenCVE AI on May 28, 2026 at 11:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a patched version that includes the fix corresponding to commit 22559ad…; this removes the out‑of‑bounds read and infinite loop.
  • If an upgrade cannot be performed immediately, restrict Bluetooth access to trusted devices or disable Bluetooth entirely on the host to prevent receipt of malicious LE_Create_BIG_Complete events.
  • As a temporary workaround, disable the parsing of LE_Create_BIG_Complete events in the kernel (for example by setting a module parameter or compiling the Bluetooth stack without BIG support) to avoid the infinite loop while maintaining basic Bluetooth functionality.

Generated by OpenCVE AI on May 28, 2026 at 11:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-788

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held. Fix this by terminating the BIG if in case not all BIS could be setup properly.
Title Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:54.467Z

Reserved: 2026-05-13T15:03:33.100Z

Link: CVE-2026-46138

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:29.357

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46138

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T12:00:14Z

Weaknesses