CVE-2026-46186: Linux Bluetooth Virtio Driver Memory Validation Flaw
A flaw in the Linux kernel's Bluetooth virtio driver fails to validate that incoming packets contain enough data before processing them. When a malformed or truncated packet arrives, the driver can read beyond the packet's actual boundaries, potentially accessing uninitialized memory. This could cause the system to crash or misbehave, particularly on systems with active Bluetooth connections.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-908
- Affected products
- 9 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: virtio_bt: validate rx pkt_type header length virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type. After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core. After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path. Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The virtbt_rx_handle() function in the Linux kernel Bluetooth virtio driver strips the leading pkt_type byte from received skbs without verifying that the remaining payload meets the minimum HCI header size for that packet type (2 bytes for events, 4 for ACL/ISO, 3 for SCO). When a one-byte packet labeled as HCI_ACLDATA_PKT reaches hci_recv_frame() with skb->len=0, subsequent code in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle unconditionally if the device has active CIS_LINK, BIS_LINK, or PA_LINK connections, reading two bytes of uninitialized RX-buffer data. The fix enforces per-packet-type minimum length checks before forwarding to hci_recv_frame() and rate-limits error logging to prevent log flooding from untrusted backends.
Business impact
Systems relying on Bluetooth connectivity over virtio (common in virtualized environments) face denial-of-service risk through unexpected crashes triggered by malformed Bluetooth frames. While integrity and confidentiality are not directly compromised, unplanned downtime or system instability could disrupt services dependent on Bluetooth functionality. The impact is localized to the affected host and requires local or hypervisor-level access to craft malicious frames.
Affected systems
Linux kernel systems running with Bluetooth virtio driver support enabled, particularly in virtualized or cloud environments where Bluetooth is presented via virtio transport. This affects multiple upstream kernel branches as indicated by the vendors_products list. Systems must have active Bluetooth connections (CIS, BIS, or PA links) to trigger the specific ACL-path dereference, though truncated packets of other types can cause general instability.
Exploitability
Exploitation requires local or privileged access to the hypervisor to inject malformed Bluetooth packets via the virtio backend, or requires control over a Bluetooth device communicating with the virtio driver. The attack is not remotely exploitable from typical network positions. No public exploit code has been identified, and this is not on the CISA KEV catalog. The barrier to exploitation is moderate—an attacker needs backend-level control or local system access.
Remediation
Apply the kernel patch that adds validation logic to virtbt_rx_handle() to enforce minimum packet length requirements per packet type before calling hci_recv_frame(). The fix also implements rate-limited error logging using bt_dev_err_ratelimited() to prevent log flooding. Verify the patch version against your Linux vendor's advisory, as backport timelines vary across distributions.
Patch guidance
Check your Linux distribution's security advisories for Bluetooth virtio patches. Major distributions typically backport such fixes into stable kernel branches within weeks of upstream resolution. Kernel versions should be verified against vendor-specific patch timelines—do not assume upstream kernel version numbers directly apply to your distribution. Test patches in non-production environments first, as Bluetooth driver changes can affect connected devices.
Detection guidance
Monitor kernel logs for rate-limited Bluetooth error messages related to invalid packet lengths from the virtio backend. Enable Bluetooth subsystem debugging if available in your kernel build (CONFIG_BT_DEBUG). On virtualized systems, correlate unexpected Bluetooth device failures or system crashes with hypervisor event logs showing virtio device anomalies. Intrusion detection systems can flag unusual patterns of truncated Bluetooth frames, though this requires deep packet inspection at the hypervisor level.
Why prioritize this
This medium-severity vulnerability affects availability through denial-of-service but requires local or privileged access to exploit. It should be prioritized for patching on systems actively using Bluetooth over virtio (especially cloud or container hosts) but is lower priority for systems without Bluetooth connectivity or non-virtualized deployments. The lack of KEV designation and public exploits suggests active exploitation is not yet widespread.
Risk score, explained
CVSS 5.5 (Medium) reflects high availability impact (complete service disruption possible) offset by low attack vector (local only) and requirement for attacker privileges. The attack surface is confined to the virtio Bluetooth subsystem, limiting exposure compared to network-facing vectors. Environments with strict hypervisor access controls will see further reduced risk.
Frequently asked questions
Does this vulnerability expose my Bluetooth data to eavesdropping or interception?
No. This flaw causes denial-of-service or system instability through out-of-bounds memory reads, but does not compromise the confidentiality or integrity of Bluetooth communications themselves. Encryption and pairing mechanisms remain unaffected.
Can this be exploited remotely over the network?
No. Exploitation requires either local system access or control of the Bluetooth device/hypervisor backend injecting the malformed packets. Standard remote network access does not provide an attack path.
Do I need to patch if Bluetooth is disabled on my Linux system?
If Bluetooth and the virtio driver are not in use, this vulnerability does not pose a risk to your system. However, patching is still recommended as a defense-in-depth measure in case Bluetooth is re-enabled in the future.
Which Linux distributions are affected?
Any distribution using a Linux kernel version with the vulnerable Bluetooth virtio driver code path. Check your vendor's security advisory to confirm patch availability and versions. Upstream kernels and rolling-release distributions typically receive fixes within weeks of resolution.
This analysis is based on the CVE description and public kernel commit information available as of the publish date. Patch availability, version numbers, and distribution timelines should be verified against official Linux vendor advisories. SEC.co does not provide warranty regarding the completeness or accuracy of remediation guidance; security teams should validate patches in their own environments before production deployment. No exploit code or detailed attack methods are provided intentionally. For the latest updates, consult the Linux kernel security mailing list and your distribution's security advisories. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46132MEDIUMLinux Kernel Stack Memory Leak via rtnetlink VF Information Disclosure
- CVE-2026-46139MEDIUMLinux SMB Client Uninitialized Buffer in Security Descriptors
- CVE-2026-46167MEDIUMLinux Kernel USB Printer Driver Uninitialized Heap Memory Leak via LPGETSTATUS ioctl
- CVE-2026-46169MEDIUMLinux HFS+ Catalog Record Validation Vulnerability
- CVE-2026-46257MEDIUMLinux SP804 Timer Kernel Panic on ARM32 – Patch & Detection
- CVE-2026-26825MEDIUMlibxls 1.6.3 Use-of-Uninitialized Memory Vulnerability
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout