Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: validate advertising TLV before type checks

tlv_data_is_valid() reads each advertising data field length from
data[i], then inspects data[i + 1] for managed EIR types before
checking that the current field still fits inside the supplied buffer.

A malformed field whose length byte is the last byte of the buffer can
therefore make the parser read one byte past the advertising data.

KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING
request reached that path:

BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid()
Read of size 1
Call trace:
tlv_data_is_valid()
add_advertising()
hci_mgmt_cmd()
hci_sock_sendmsg()

Move the existing element-length check before any type-octet inspection
so each non-empty element is proven to contain its type byte before the
parser looks at data[i + 1].
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Within the Linux kernel Bluetooth management stack a flaw in the handling of advertising data can cause the kernel to read past the end of a provided buffer. The function that validates each TLV element accesses a length byte before confirming that the element’s type byte lies within bounds, allowing a crafted packet to overflow the bounds check and trigger a read out of bounds. The memory sanitizer shows the bug as a "vmalloc‑out‑of‑bounds" read, indicating that the kernel is likely to crash or behave unpredictably when an attacker sends a malformed MGMT_OP_ADD_ADVERTISING request. The immediate consequence is a kernel panic and loss of service for the affected node, and repeated exploitation could allow denial of service to be sustained.

Affected Systems

All Linux distributions that ship a kernel prior to the patch that contains this fix are affected, regardless of the distribution. The vulnerability applies to the generic Linux kernel image as listed by the CNA and does not reference a narrower version range. Adversaries can trigger the flaw via a Bluetooth MGMT interface; the device must have the Bluetooth stack enabled for mgmt commands.

Risk and Exploitability

The CVSS score is not provided, but the exploit would be local to the Bluetooth interface and would require network proximity or a compromised local Bluetooth client. The EPSS is marked as not available, and the vulnerability is not listed in CISA’s KEV catalog. The primary risk is a local denial of service that can be triggered by sending a specially crafted advertising request. The attacker must be able to initiate a Bluetooth MGMT request to the target device. Without that, the flaw cannot be exercised. The vulnerability is mitigated by applying the kernel patch that moves the length check before the type-octet inspection, which restores proper bounds verification.

Generated by OpenCVE AI on June 25, 2026 at 11:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix that moves the length check before the type-octet inspection
  • If an immediate kernel update is not possible, disable the Bluetooth management interface on the affected system or block MGMT traffic with a firewall to prevent remote requests
  • Verify that no legacy or custom Bluetooth user space utilities are still allowing MGMT commands with potentially malformed data
  • Consider applying mitigations such as CONFIG_BPF or other kernel hardening options that enforce stricter bounds checks on memory access

Generated by OpenCVE AI on June 25, 2026 at 11:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate advertising TLV before type checks tlv_data_is_valid() reads each advertising data field length from data[i], then inspects data[i + 1] for managed EIR types before checking that the current field still fits inside the supplied buffer. A malformed field whose length byte is the last byte of the buffer can therefore make the parser read one byte past the advertising data. KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING request reached that path: BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid() Read of size 1 Call trace: tlv_data_is_valid() add_advertising() hci_mgmt_cmd() hci_sock_sendmsg() Move the existing element-length check before any type-octet inspection so each non-empty element is proven to contain its type byte before the parser looks at data[i + 1].
Title Bluetooth: MGMT: validate advertising TLV before type checks
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:45.934Z

Reserved: 2026-06-09T07:44:35.394Z

Link: CVE-2026-53255

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T12:00:13Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-20

    Improper Input Validation