The Linux kernel RFCOMM module incorrectly casts the skb->data pointer to protocol‑specific structures without ensuring that skb->len is sufficient. A malicious remote Bluetooth device can send truncated MSG Control Code (MCC) frames, leading to out‑of‑bounds reads in the RFCOMM handler functions. This flaw can expose arbitrary kernel memory contents to the attacker, potentially leaking sensitive information and providing a foothold for further exploitation such as privilege escalation. The likely attack vector is a remote Bluetooth attacker that establishes a connection with the vulnerable device and transmits specially crafted MCC frames. The description explicitly states that a remote device can trigger out‑of‑bounds reads, indicating that no local privilege or user interaction is required beyond the presence of a Bluetooth link. The vulnerability, categorized as an out‑of‑bounds read (CWE‑125, CWE‑119), provides information disclosure and may be leveraged in a chain of attacks.

Affected systems include any device running a Linux kernel that exposes the RFCOMM Bluetooth stack. The flaw exists in the Linux kernel RFCOMM module and is present in all kernel versions prior to the commit that adds skb_pull_data validation. Any Linux device that enables RFCOMM services is potentially at risk unless the kernel has been updated to a release containing the validation fix.

The CVSS score is not disclosed in the provided data, and the EPSS score is not available, indicating that the current exploitation probability is unknown. The vulnerability is not listed in CISA’s KEV catalog, meaning there have been no confirmed wild‑world exploits to date. However, the flaw can be remotely triggered over Bluetooth, requiring no local privileges or user interaction beyond establishing a Bluetooth link. The lack of immediate mitigation measures in exposed environments increases the potential impact for fleet‐managed devices relying on RFCOMM.