5.5

CVE-2026-46186

Bluetooth: virtio_bt: validate rx pkt_type header length

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: virtio_bt: validate rx pkt_type header length

virtbt_rx_handle() reads the leading pkt_type byte from the RX skb
and forwards the remainder to hci_recv_frame() for every
event/ACL/SCO/ISO type, without checking that the remaining payload
is at least the fixed HCI header for that type.

After the preceding patch bounds the backend-supplied used.len to
[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches
hci_recv_frame() with skb->len already pulled to 0. If the byte
happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification
fast-path in hci_dev_classify_pkt_type() dereferences
hci_acl_hdr(skb)->handle whenever the HCI device has an active
CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of
uninitialized RX-buffer data. The same hazard exists for every
packet type the driver accepts because none of the switch cases in
virtbt_rx_handle() check skb->len against the per-type minimum HCI
header size before handing the frame to the core.

After stripping pkt_type, require skb->len to cover the fixed
header size for the selected type (event 2, ACL 4, SCO 3, ISO 4)
before calling hci_recv_frame(); drop ratelimited otherwise.
Unknown pkt_type values still take the original kfree_skb() default
path.

Use bt_dev_err_ratelimited() because both the length and pkt_type
values come from an untrusted backend that can otherwise flood the
kernel log.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.15.78 < 5.15.209
LinuxLinux Kernel Version >= 6.0.8 < 6.1
LinuxLinux Kernel Version >= 6.1.1 < 6.1.175
LinuxLinux Kernel Version >= 6.2 < 6.6.140
LinuxLinux Kernel Version >= 6.7 < 6.12.88
LinuxLinux Kernel Version >= 6.13 < 6.18.30
LinuxLinux Kernel Version >= 6.19 < 7.0.7
LinuxLinux Kernel Version6.1 Update-
LinuxLinux Kernel Version6.1 Updaterc4
LinuxLinux Kernel Version6.1 Updaterc5
LinuxLinux Kernel Version6.1 Updaterc6
LinuxLinux Kernel Version6.1 Updaterc7
LinuxLinux Kernel Version6.1 Updaterc8
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.024
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-908 Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

https://git.kernel.org/stable/c/1e1e509b6fd2a42421745bbcd98bd16daad20904
Patch
https://git.kernel.org/stable/c/2c1143564c71e7497b42d8360a8379ccbb011d3c
Patch
https://git.kernel.org/stable/c/3485c7236c59c8c34a41af1c4b52982437554e79
Patch
https://git.kernel.org/stable/c/f743eab6486965f276c7e3f1700895f014fdc6db
Patch
https://git.kernel.org/stable/c/daf23014e5d975e72ea9c02b5160d3fcf070ea47
Patch
https://git.kernel.org/stable/c/149cfb42ad69c7964fd9f2c43831da9152007129
Patch
https://git.kernel.org/stable/c/7b2d4c04816cdc887f472caaf7fc966cfc107e40
Patch