CVE-2026-53209 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend

Existing advertising instances can already hold the maximum extended
advertising payload. When hci_adv_bcast_annoucement() prepends the
Broadcast Announcement service data to that payload, the combined data
may no longer fit in the temporary buffer used to rebuild the
advertising data.

Reject that case before copying the existing payload and report the
failure through the device log. This keeps the existing advertising
data intact and avoids overrunning the temporary buffer.

Published: 2026-06-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend vulnerability in the Linux kernel allows for a buffer overrun during the rebuilding of advertising data. When a host holds an extended advertising payload and receives a broadcast announcement, the kernel prepends the service data without confirming the combined size fits in the temporary buffer. This can corrupt memory and potentially trigger a kernel panic, resulting in denial of service. The fix rejects the oversized request before copying and logs the failure, preserving existing advertising data.

Affected Systems

The affected code resides in the core Linux kernel Bluetooth stack. The CPE string provided is generic for all Linux kernels, and no specific version range is in the advisory. Therefore, any Linux kernel firmware that has not yet incorporated the patch is potentially vulnerable. Distribution‑specific build customizations that include the kernel code could also be affected.

Risk and Exploitability

The CVSS score is not supplied in the advisory, and the EPSS score is unavailable. Consequently, no quantifiable exploitation probability can be stated. The vulnerability is not listed in the CISA KEV catalog. To trigger the flaw, an attacker would need to transmit an oversized broadcast announcement to the device, which generally requires physical proximity or a compromised Bluetooth interface. Given the lack of evidence of active exploitation, the risk remains moderate for systems that rely on Bluetooth advertising, while it is lower for devices that do not use advertising or have Bluetooth disabled.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`63f365eb4d1668a04070151b555d55a07ede8d4b`	affected	< 10b0e832cc05d7aef4b92bed912cbd4a395d0862
`c621211b308816889f0a3246de448bfcef8ab3ab`	affected	< 1338ee049a8910ba6c9cee963920e978e6893c7d
`907ef6e12fb558a0763e894311eb245a94c192dd`	affected	< 02f50e8bb69f9b22516163a09922f5537d3b12d1
`5725bc608252050ed8a4d47d59225b7dd73474c8`	affected	< dafc9f57140e66a10945127aa7433c3d715dc253
`5725bc608252050ed8a4d47d59225b7dd73474c8`	affected	< cdd8bbdbee763fdf5bf343e6f7d4e79347739f62
`5725bc608252050ed8a4d47d59225b7dd73474c8`	affected	< 5c65b96b549ea2dcfde497436bf9e048deb87758
`15da883c010cbc2a84aec1738b6ad6ee477846de`	affected	—
`6.1.142`	affected	< 6.1.176
`6.6.94`	affected	< 6.6.143
`6.12.34`	affected	< 6.12.94
`6.15.3`	affected	< 6.16

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that includes the commit that resolves CVE-2026-53209; consult kernel release notes or security advisories for the relevant patch commit.
If a kernel update cannot be applied immediately, limit or disable the size of extended Bluetooth advertising on the host, or turn off Bluetooth advertising entirely if not needed for the device’s function.
Continuously monitor kernel logs for messages containing ‘hci_sync’ or ‘Bluetooth’ that indicate buffer overrun failures or related errors.

Generated by OpenCVE AI on June 25, 2026 at 11:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/02f50e8bb69f9b22516163a09922f5537d3b12d1
https://git.kernel.org/stable/c/10b0e832cc05d7aef4b92bed912cbd4a395d0862
https://git.kernel.org/stable/c/1338ee049a8910ba6c9cee963920e978e6893c7d
https://git.kernel.org/stable/c/5c65b96b549ea2dcfde497436bf9e048deb87758
https://git.kernel.org/stable/c/cdd8bbdbee763fdf5bf343e6f7d4e79347739f62
https://git.kernel.org/stable/c/dafc9f57140e66a10945127aa7433c3d715dc253

History

Thu, 25 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-120

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend Existing advertising instances can already hold the maximum extended advertising payload. When hci_adv_bcast_annoucement() prepends the Broadcast Announcement service data to that payload, the combined data may no longer fit in the temporary buffer used to rebuild the advertising data. Reject that case before copying the existing payload and report the failure through the device log. This keeps the existing advertising data intact and avoids overrunning the temporary buffer.
Title		Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/02f50e8bb69f9b22516163a09922f5537d3b12d1 https://git.kernel.org/stable/c/10b0e832cc05d7aef4b92bed912cbd4a395d0862 https://git.kernel.org/stable/c/1338ee049a8910ba6c9cee963920e978e6893c7d https://git.kernel.org/stable/c/5c65b96b549ea2dcfde497436bf9e048deb87758 https://git.kernel.org/stable/c/cdd8bbdbee763fdf5bf343e6f7d4e79347739f62 https://git.kernel.org/stable/c/dafc9f57140e66a10945127aa7433c3d715dc253

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:14.915Z

Updated: 2026-06-25T08:39:14.915Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53209

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T12:00:14Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object