CVE Catalog

CVE-2026-46138

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

19th percentile - higher than 19% of all known CVEs

Summary

A vulnerability has been identified in the Linux kernel related to Bluetooth event handling, which may lead to out-of-bounds reads and an infinite loop. The issue occurs in the hci_le_create_big_complete_evt() function, which does not check if the index remains within the bounds of the array during iteration.

Risk Assessment

This vulnerability may lead to system lockup due to an infinite loop, affecting the availability of Bluetooth services on the system. It may also pose a risk to the overall stability of the operating system.

Recommendation

It is recommended to update the Linux kernel to the latest version where this vulnerability has been fixed. Additionally, monitor systems for any abnormal behavior of Bluetooth services.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held. Fix this by terminating the BIG if in case not all BIS could be setup properly.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS