CVE-2026-53255

HIGH

Bluetooth: MGMT: validate advertising TLV before type checks

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate advertising TLV before type checks tlv_data_is_valid() reads each advertising data field length from data[i], then inspects data[i + 1] for managed EIR types before checking that the current field still fits inside the supplied buffer. A malformed field whose length byte is the last byte of the buffer can therefore make the parser read one byte past the advertising data. KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING request reached that path: BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid() Read of size 1 Call trace: tlv_data_is_valid() add_advertising() hci_mgmt_cmd() hci_sock_sendmsg() Move the existing element-length check before any type-octet inspection so each non-empty element is proven to contain its type byte before the parser looks at data[i + 1].

Scores

CVSS v3 7.1
EPSS 0.0012
EPSS Percentile 2.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Details

CWE
CWE-125
Status published
Products (27)
linux/Kernel 4.9.0 - 5.10.259linux
linux/Kernel 5.11.0 - 5.15.210linux
linux/Kernel 5.16.0 - 6.1.176linux
linux/Kernel 6.13.0 - 6.18.36linux
linux/Kernel 6.19.0 - 7.0.13linux
linux/Kernel 6.2.0 - 6.6.143linux
linux/Kernel 6.7.0 - 6.12.94linux
Linux/Linux < 4.9
Linux/Linux 2bb36870e8cb29949ef9acec37129cd8e70f1857 - 06fcbd79c3c360a50f9be9d370769bbd738d0976
Linux/Linux 2bb36870e8cb29949ef9acec37129cd8e70f1857 - 13ad995071a06570668dd8daab3616c247c72080
... and 17 more
Published Jun 25, 2026
Tracked Since Jun 25, 2026