CVE-2026-53255
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
In the Linux kernel Bluetooth stack, an out-of-bounds read vulnerability was found in tlv_data_is_valid(). A malformed MGMT_OP_ADD_ADVERTISING request can cause reading one byte past the allocated buffer, as reported by KASAN.
Risk Assessment
An attacker could exploit this vulnerability to leak kernel memory information or cause a system panic by sending a specially crafted Bluetooth packet.
Recommendation
Immediately update the Linux kernel to a version containing the fix that moves the element-length check before type inspection.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate advertising TLV before type checks tlv_data_is_valid() reads each advertising data field length from data[i], then inspects data[i + 1] for managed EIR types before checking that the current field still fits inside the supplied buffer. A malformed field whose length byte is the last byte of the buffer can therefore make the parser read one byte past the advertising data. KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING request reached that path: BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid() Read of size 1 Call trace: tlv_data_is_valid() add_advertising() hci_mgmt_cmd() hci_sock_sendmsg() Move the existing element-length check before any type-octet inspection so each non-empty element is proven to contain its type byte before the parser looks at data[i + 1].

