7.7

CVE-2026-46123

Bluetooth: virtio_bt: clamp rx length before skb_put

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: virtio_bt: clamp rx length before skb_put

virtbt_rx_work() calls skb_put(skb, len) where len comes directly
from virtqueue_get_buf() with no validation against the buffer we
posted to the device. The RX skb is allocated in virtbt_add_inbuf()
and exposed to virtio as exactly 1000 bytes via sg_init_one().

Checking len against skb_tailroom(skb) is not sufficient because
alloc_skb() can leave more tailroom than the 1000 bytes actually
handed to the device. A malicious or buggy backend can therefore
report used.len between 1001 and skb_tailroom(skb), causing skb_put()
to include uninitialized kernel heap bytes that were never written by
the device.

The same path also accepts len == 0, in which case skb_put(skb, 0)
leaves the skb empty but virtbt_rx_handle() still reads the pkt_type
byte from skb->data, consuming uninitialized memory.

Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and
sg_init_one(), and gate virtbt_rx_work() on that same constant so
the bound checked matches the buffer actually exposed to the device.
Reject used.len == 0 in the same gate so an empty completion can
no longer reach virtbt_rx_handle().

Use bt_dev_err_ratelimited() because the length value comes from an
untrusted backend that can otherwise flood the kernel log.

Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
overflow in USB transport layer"), which hardened the USB 9p
transport against unchecked device-reported length.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.15.78 < 5.15.209
LinuxLinux Kernel Version >= 6.0.8 < 6.1
LinuxLinux Kernel Version >= 6.1.1 < 6.1.175
LinuxLinux Kernel Version >= 6.2 < 6.6.140
LinuxLinux Kernel Version >= 6.7 < 6.12.88
LinuxLinux Kernel Version >= 6.13 < 6.18.30
LinuxLinux Kernel Version >= 6.19 < 7.0.7
LinuxLinux Kernel Version6.1 Update-
LinuxLinux Kernel Version6.1 Updaterc4
LinuxLinux Kernel Version6.1 Updaterc5
LinuxLinux Kernel Version6.1 Updaterc6
LinuxLinux Kernel Version6.1 Updaterc7
LinuxLinux Kernel Version6.1 Updaterc8
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.14% 0.038
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.7 2.5 5.2
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/ed41c81d30b211a671667259c3b5feeba0e062d5
Patch
https://git.kernel.org/stable/c/6c1730099a6fc18b183bd6c1adad3b54adcaeda9
Patch
https://git.kernel.org/stable/c/b40cdd1b1370d76e9e760af4490cb4a351cceead
Patch
https://git.kernel.org/stable/c/e6b4296f170d949ebba937cf6a3f247ec9550d2c
Patch
https://git.kernel.org/stable/c/21bd244b6de5d2fe1063c23acc93fbdd2b20d112
Patch
https://git.kernel.org/stable/c/4236e55b2d9d1ffd3b4bdf8ebbb86e5a0a526b4a
Patch
https://git.kernel.org/stable/c/fd91fa2678ab603dfb285416c1cf3843d7be1e41
Patch