Impact
In the Linux kernel, the RFCOMM module processes incoming Bluetooth frames without checking that the skb data length is sufficient. A malicious remote device can send truncated MCC frames that cause the kernel to read past the end of the buffer when casting skb->data to protocol‑specific structures. The result is an out‑of‑bounds read (CWE‑1284) that exposes arbitrary kernel memory contents, potentially revealing sensitive information.
Affected Systems
Any device running a Linux kernel that exposes the RFCOMM Bluetooth stack is affected. The flaw exists in all kernel releases before the commit that adds skb_pull_data validation to RFCOMM MCC handlers. Devices that enable RFCOMM services over Bluetooth are therefore at risk regardless of vendor or build variant.
Risk and Exploitability
The vulnerability has a CVSS score of 8.1, indicating high severity. The EPSS score of <1% suggests the event is unlikely to be exploited soon. It is not listed in the CISA KEV catalog, implying no confirmed wild‑world exploits exist yet. A remote attacker can trigger the out‑of‑bounds read by establishing a Bluetooth connection and transmitting specially crafted MCC frames; no local privileges or user interaction beyond the Bluetooth link are required.
OpenCVE Enrichment
Debian DLA