Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: validate advertising TLV before type checks

tlv_data_is_valid() reads each advertising data field length from
data[i], then inspects data[i + 1] for managed EIR types before
checking that the current field still fits inside the supplied buffer.

A malformed field whose length byte is the last byte of the buffer can
therefore make the parser read one byte past the advertising data.

KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING
request reached that path:

BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid()
Read of size 1
Call trace:
tlv_data_is_valid()
add_advertising()
hci_mgmt_cmd()
hci_sock_sendmsg()

Move the existing element-length check before any type-octet inspection
so each non-empty element is proven to contain its type byte before the
parser looks at data[i + 1].
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the Bluetooth management stack of the Linux kernel, where the TLV data validation function reads the type byte of an advertising element before confirming that the element’s length fits within the supplied buffer. A malformed MGMT_OP_ADD_ADVERTISING request containing a length byte that marks the end of the buffer can cause the parser to read one byte past the data area, triggering a kernel out‑of‑bounds read. The resulting kernel panic is evidenced in KASAN reports and results in a full system denial of service.

Affected Systems

All Linux kernels that shipped before the patch are affected regardless of distribution, because the bug is present in the generic mgmt code. The flaw is exercised through the Bluetooth MGMT channel, so any system with the Bluetooth subsystem and a reachable management interface is vulnerable. The only protection is to apply the kernel update that moves the length check before the type inspection.

Risk and Exploitability

The CVSS score of 5.5 rates moderate severity, and the EPSS of < 1% indicates a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would need to send a crafted MGMT_OP_ADD_ADVERTISING request via the Bluetooth MGMT interface, implying local proximity or a compromised local Bluetooth client. Once triggered, the kernel crash turns the device into a denial‑of‑service target that can be repeatedly abused if the interface remains enabled.

Generated by OpenCVE AI on June 26, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the TLV length validation fix
  • If an immediate upgrade is not feasible, disable the Bluetooth management interface or block MGMT traffic
  • Restrict Bluetooth services to trusted devices or disable the Bluetooth subsystem when not in use

Generated by OpenCVE AI on June 26, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate advertising TLV before type checks tlv_data_is_valid() reads each advertising data field length from data[i], then inspects data[i + 1] for managed EIR types before checking that the current field still fits inside the supplied buffer. A malformed field whose length byte is the last byte of the buffer can therefore make the parser read one byte past the advertising data. KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING request reached that path: BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid() Read of size 1 Call trace: tlv_data_is_valid() add_advertising() hci_mgmt_cmd() hci_sock_sendmsg() Move the existing element-length check before any type-octet inspection so each non-empty element is proven to contain its type byte before the parser looks at data[i + 1].
Title Bluetooth: MGMT: validate advertising TLV before type checks
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:45.934Z

Reserved: 2026-06-09T07:44:35.394Z

Link: CVE-2026-53255

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53255 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:00:06Z

Weaknesses
  • CWE-805

    Buffer Access with Incorrect Length Value