CVE-2026-46138
A flaw in the Linux kernel's Bluetooth event handler can cause the kernel to read memory beyond the bounds of a data structure and enter an infinite loop. The vulnerability occurs when a Bluetooth controller sends a specific event (LE_Create_BIG_Complete) with mismatched or insufficient data. An attacker with local or adjacent network access to a vulnerable system could exploit this to cause a denial of service by freezing the kernel with a lock held, making the system unresponsive.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-24
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held. Fix this by terminating the BIG if in case not all BIS could be setup properly.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46138 is a heap out-of-bounds read (CWE-125) in the Linux kernel's Bluetooth HCI event processing layer, specifically in hci_le_create_big_complete_evt(). The function iterates over BT_BOUND connections for a BIG (Broadcast Isochronous Group) handle using a while loop that accesses ev->bis_handle[i++] without validating that the array index i remains within the bounds defined by ev->num_bis. When a malformed LE_Create_BIG_Complete event arrives with num_bis=0 or fewer bis_handle entries than BT_BOUND connections exist for that BIG, the loop reads past the flex array into adjacent heap memory. Out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), causing hci_conn_set_handle() to reject them. Rejected connections remain in BT_BOUND state and are found again by hci_conn_hash_lookup_big_state(), triggering an infinite loop while holding hci_dev_lock—a critical synchronization primitive in the Bluetooth subsystem.
Business impact
This vulnerability creates a denial-of-service vector affecting Linux systems with Bluetooth capabilities. By forcing the kernel into an infinite loop with hci_dev_lock held, an attacker can freeze all Bluetooth operations on the system and potentially degrade overall system responsiveness. Organizations relying on Linux-based IoT devices, embedded systems, or servers with active Bluetooth connectivity face availability risk. The attack requires only adjacent or local network access, making it relevant to environments where untrusted Bluetooth controllers or proximate attackers are a concern.
Affected systems
The Linux kernel across all versions with Bluetooth HCI event handling is affected. This includes consumer devices (laptops, phones running Linux), IoT appliances, automotive systems, and enterprise Linux servers with Bluetooth support enabled. The vulnerability is not version-specific in the provided data; however, patches would typically be backported to stable kernel branches. Verify the specific kernel versions and distributions affected through your vendor's security advisories.
Exploitability
Exploitability requires adjacent or local network access to send a malformed Bluetooth event to the target system. No user interaction or special privileges are needed. The attack is reliable: sending a LE_Create_BIG_Complete event with num_bis=0 or mismatched bis_handle counts directly triggers the infinite loop. However, successful exploitation depends on the system having Bluetooth enabled and the hci_dev_lock contention being observable as a denial of service. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
Remediation
The fix involves terminating the BIG (Broadcast Isochronous Group) if not all BIS (Broadcast Isochronous Sub-channels) can be set up properly, preventing the loop from iterating beyond valid data. This resolves both the out-of-bounds read and the infinite loop condition by ensuring the kernel stops processing when the event data is inconsistent with internal state. Patches have been published and are being integrated into stable kernel releases.
Patch guidance
Apply patches from your Linux distribution's kernel security updates. Check your vendor's advisory page for the specific kernel version numbers that include this fix—these will vary by distribution (Red Hat, Ubuntu, Debian, etc.) and release cycle. Most vendors have released updates to their stable and long-term support branches. Verify the patch has been applied by checking kernel version and, if possible, grepping the kernel source or git history for the fix description. Test in a non-production environment before deploying to production systems.
Detection guidance
Monitor kernel logs for signs of Bluetooth subsystem hangs or lockups, particularly messages related to hci_dev_lock contention or BIG creation failures. On systems with Bluetooth debugging enabled, look for unexpected LE_Create_BIG_Complete events followed by kernel warnings or soft lockups. System monitoring tools may detect sudden CPU thread stalls in Bluetooth-related kernel threads. However, detection is primarily a post-exploitation indicator; prevention via patching is the primary defense. Consider disabling Bluetooth on systems where it is not required.
Why prioritize this
This vulnerability scores 8.1 (HIGH) and combines a reliable denial-of-service trigger with low attack complexity and no authentication requirement. While not yet in the KEV catalog, the combination of a kernel lock freeze and adjacent-network exploitability makes it a credible threat to Bluetooth-enabled Linux deployments. Prioritize patching systems where Bluetooth is actively used or exposed to untrusted networks. Systems with Bluetooth disabled or in isolated networks face lower immediate risk.
Risk score, explained
The CVSS 3.1 score of 8.1 (HIGH) reflects: AV:A (attack vector adjacent network), AC:L (low complexity—no special conditions), PR:N (no privileges needed), UI:N (no user interaction), S:U (scope unchanged), C:H (high confidentiality impact from out-of-bounds read), I:N (no integrity impact), A:H (high availability impact from infinite loop and lock contention). The confidentiality rating acknowledges that out-of-bounds heap reads may leak sensitive kernel memory, while the availability impact is primary due to the kernel lock freeze.
Frequently asked questions
Can this be exploited remotely over Bluetooth without pairing?
The attack vector is 'adjacent network' (AV:A), meaning the attacker must be within Bluetooth range. Pairing requirements depend on the Bluetooth profile and controller firmware; a malicious or compromised controller on the same network can send the malformed event. Remote exploitation over the internet is not possible with this vulnerability alone.
What happens if I disable Bluetooth on my Linux system?
Disabling Bluetooth eliminates exposure to this vulnerability. If your system does not require Bluetooth functionality, disabling it in BIOS/UEFI or via kernel module blacklisting removes the attack surface entirely.
Why is this a kernel issue rather than a user-space Bluetooth daemon issue?
The vulnerable code is in the Linux kernel's HCI (Host Controller Interface) layer, which directly processes events from the Bluetooth hardware controller. User-space daemons (like BlueZ) sit above this layer and cannot prevent kernel-level parsing errors. A fix in the kernel ensures all systems with this kernel version are protected, regardless of user-space configuration.
Are there any workarounds if I cannot patch immediately?
Workarounds are limited. Disabling Bluetooth is the most effective short-term mitigation. Restricting physical access to prevent nearby attackers and ensuring Bluetooth devices are not in discoverable mode reduce exposure. Kernel-level mitigations (like disabling specific HCI event processing) may be possible but would require custom kernel modifications and are not standard upstream workarounds; verify with your vendor.
This analysis is based on the CVE description and public security data as of the publication date. No exploit code or proof-of-concept details are provided. Readers should verify patch availability and compatibility with their specific Linux distributions and kernel versions through official vendor advisories before applying updates. The presence of this vulnerability does not guarantee successful exploitation; actual risk depends on system configuration, Bluetooth enablement, and network exposure. SEC.co does not warrant the accuracy or completeness of this information and recommends consulting vendor documentation and security advisories for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGH
CVE-2026-10889: Critical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGH
CVE-2026-10927: Chrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGH
CVE-2026-10941: Skia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGH
CVE-2026-11015: Critical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-46130HIGH
CVE-2026-46130: Linux Kernel dm-verity-fec Out-of-Bounds Read – Vulnerability Details
- CVE-2026-46133HIGH
CVE-2026-46133: Linux RDMA/rxe Kernel Panic via Invalid Opcode DoS
- CVE-2026-46140HIGH
CVE-2026-46140: Linux Kernel Bluetooth btmtk Driver Memory Disclosure
- CVE-2026-10998MEDIUM
CVE-2026-10998: Chrome Media Out-of-Bounds Memory Read Vulnerability