Bug 2482656 (CVE-2026-46138) - CVE-2026-46138 kernel: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
Summary: CVE-2026-46138 kernel: Bluetooth: hci_event: Fix OOB read and infinite loop i...
Keywords:
Status: NEW
Alias: CVE-2026-46138
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-28 11:07 UTC by OSIDB Bzimport
Modified: 2026-05-28 17:06 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-28 11:07:59 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

hci_le_create_big_complete_evt() iterates over BT_BOUND connections for
a BIG handle using a while loop, accessing ev->bis_handle[i++] on each
iteration.  However, there is no check that i stays within ev->num_bis
before the array access.

When a controller sends a LE_Create_BIG_Complete event with fewer
bis_handle entries than there are BT_BOUND connections for that BIG,
or with num_bis=0, the loop reads beyond the valid bis_handle[] flex
array into adjacent heap memory.  Since the out-of-bounds values
typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()
rejects them and the connection remains in BT_BOUND state.  The same
connection is then found again by hci_conn_hash_lookup_big_state(),
creating an infinite loop with hci_dev_lock held.

Fix this by terminating the BIG if in case not all BIS could be setup
properly.
Comment 1 Keith Grant 2026-05-28 17:02:45 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052819-CVE-2026-46138-7234@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.