Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

hci_le_create_big_complete_evt() iterates over BT_BOUND connections for
a BIG handle using a while loop, accessing ev->bis_handle[i++] on each
iteration. However, there is no check that i stays within ev->num_bis
before the array access.

When a controller sends a LE_Create_BIG_Complete event with fewer
bis_handle entries than there are BT_BOUND connections for that BIG,
or with num_bis=0, the loop reads beyond the valid bis_handle[] flex
array into adjacent heap memory. Since the out-of-bounds values
typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()
rejects them and the connection remains in BT_BOUND state. The same
connection is then found again by hci_conn_hash_lookup_big_state(),
creating an infinite loop with hci_dev_lock held.

Fix this by terminating the BIG if in case not all BIS could be setup
properly.
Published: 2026-05-28
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel Bluetooth stack contains an out‑of‑bounds read in the hci_le_create_big_complete_evt handler. It iterates over an array of BIS handles without ensuring the index does not exceed the reported number of bis_handle entries. When a controller sends a LE_Create_BIG_Complete event with fewer BIS handles than reported, or with num_bis set to zero, the function reads beyond the valid array into adjacent heap memory. These out‑of‑bounds values are rejected by the connection routine, but the associated connection remains in a bound state. An infinite loop then occurs while a critical HCI device lock is held, making the kernel unresponsive while Bluetooth functions are active.

Affected Systems

All Linux kernel builds that include the pre‑patch hci_le_create_big_complete_evt routine are vulnerable. No specific version range is listed in the advisory, so the flaw applies from the earliest kernel release that processes LE_Create_BIG_Complete events up to the latest unpatched kernel. The patch is referenced by commit 22559ad… in the kernel source history.

Risk and Exploitability

Based on the description, it is inferred that the likely attack vector is a malicious LE_Create_BIG_Complete packet transmitted over a Bluetooth link. The CVSS score is 8.1, indicating high severity, and the EPSS score is less than 1%, implying a low current exploitation probability. An attacker only needs to transmit that packet; no elevated privileges are required. The vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on May 30, 2026 at 12:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix corresponding to commit 22559ad…; this removes the out‑of‑bounds read and infinite loop.
  • If a kernel update cannot be applied immediately, disable the host’s Bluetooth interface or restrict it to trusted devices to prevent reception of malicious LE_Create_BIG_Complete events.
  • As a temporary measure, rebuild or reconfigure the kernel to disable BIG support, which stops the parsing of LE_Create_BIG_Complete events altogether.

Generated by OpenCVE AI on May 30, 2026 at 12:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Fri, 29 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-788

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-788

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held. Fix this by terminating the BIG if in case not all BIS could be setup properly.
Title Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:57:18.234Z

Reserved: 2026-05-13T15:03:33.100Z

Link: CVE-2026-46138

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:29.357

Modified: 2026-05-30T11:17:23.500

Link: CVE-2026-46138

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46138 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T13:00:12Z

Weaknesses