Impact
The vulnerability lies in the Bluetooth management stack of the Linux kernel, where the TLV data validation function reads the type byte of an advertising element before confirming that the element’s length fits within the supplied buffer. A malformed MGMT_OP_ADD_ADVERTISING request containing a length byte that marks the end of the buffer can cause the parser to read one byte past the data area, triggering a kernel out‑of‑bounds read. The resulting kernel panic is evidenced in KASAN reports and results in a full system denial of service.
Affected Systems
All Linux kernels that shipped before the patch are affected regardless of distribution, because the bug is present in the generic mgmt code. The flaw is exercised through the Bluetooth MGMT channel, so any system with the Bluetooth subsystem and a reachable management interface is vulnerable. The only protection is to apply the kernel update that moves the length check before the type inspection.
Risk and Exploitability
The CVSS score of 5.5 rates moderate severity, and the EPSS of < 1% indicates a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would need to send a crafted MGMT_OP_ADD_ADVERTISING request via the Bluetooth MGMT interface, implying local proximity or a compromised local Bluetooth client. Once triggered, the kernel crash turns the device into a denial‑of‑service target that can be repeatedly abused if the interface remains enabled.
OpenCVE Enrichment
Debian DLA