CVE Catalog

CVE-2026-53255

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile - higher than 7% of all known CVEs

Summary

In the Linux kernel Bluetooth stack, an out-of-bounds read vulnerability was found in tlv_data_is_valid(). A malformed MGMT_OP_ADD_ADVERTISING request can cause reading one byte past the allocated buffer, as reported by KASAN.

Risk Assessment

An attacker could exploit this vulnerability to leak kernel memory information or cause a system panic by sending a specially crafted Bluetooth packet.

Recommendation

Immediately update the Linux kernel to a version containing the fix that moves the element-length check before type inspection.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate advertising TLV before type checks tlv_data_is_valid() reads each advertising data field length from data[i], then inspects data[i + 1] for managed EIR types before checking that the current field still fits inside the supplied buffer. A malformed field whose length byte is the last byte of the buffer can therefore make the parser read one byte past the advertising data. KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING request reached that path: BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid() Read of size 1 Call trace: tlv_data_is_valid() add_advertising() hci_mgmt_cmd() hci_sock_sendmsg() Move the existing element-length check before any type-octet inspection so each non-empty element is proven to contain its type byte before the parser looks at data[i + 1].

Vulnerability data from NVD (NIST) · CISA KEV · EPSS