How is CVE-2026-46123 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host, or control over the virtio backend device; no network path to the service is required. Authentication (not-required): No credentials or account privileges are required to trigger the vulnerability once local or backend access is established. Victim interaction (not-required): No user interaction is needed; the attacker triggers the flaw by supplying a crafted used.len value through the virtio backend without any action from a victim. Attack complexity (info): Exploit conditions are straightforward and reliable; no race conditions, memory-layout dependencies, or special environmental factors are required to produce the overflow.

What is the impact of CVE-2026-46123?

An attacker reads uninitialized kernel heap bytes that were never written by the device, which may include residual data such as keys, tokens, or other kernel objects previously occupying that memory region. An attacker can supply a zero-length completion that causes virtbt_rx_handle() to consume uninitialized memory when reading the pkt_type byte, producing unpredictable kernel behavior. A malicious or buggy virtio backend can repeatedly trigger the out-of-bounds skb_put(), destabilizing or crashing the Bluetooth subsystem on the host. Kernel log flooding is possible via the unguarded error path, degrading observability and potentially masking other concurrent attacks.

Back to search

HIGHCVE-2026-46123Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46123: Bluetooth: virtio_bt: clamp rx length before skb_put

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: virtio_bt: clamp rx length before skb_put virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one(). Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device. The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory. Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle(). Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log. Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer overflow in USB transport layer"), which hardened the USB 9p transport against unchecked device-reported length.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A heap-data-disclosure and denial-of-service vulnerability exists in the Linux kernel's virtio Bluetooth driver (virtio_bt). The flaw is reachable locally with no authentication required, meaning an attacker who already has code running on the host or who controls the virtio backend device can trigger it. Successful exploitation exposes uninitialized kernel heap bytes to user space and can crash the affected service. Patched-image rebuilds at the fix versions (5.16, 6.1, 6.6.140, and the listed commit SHAs) are available on HarborGuard for environments running affected kernel versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-46123 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected kernel version. Any image in a connected registry or CI pipeline carrying a vulnerable kernel is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.7 HIGH (v3.1) and is capable of weighting that score against each customer environment's compliance policy to produce a prioritized finding. Routing to the appropriate team inbox within each customer organization is available based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at the fix versions (5.16, 6.1, 6.6.140, and the upstream commit references) is available on HarborGuard for any environment running an affected kernel. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host, or control over the virtio backend device; no network path to the service is required.
AuthenticationNot required
No credentials or account privileges are required to trigger the vulnerability once local or backend access is established.
Victim interactionNot required
No user interaction is needed; the attacker triggers the flaw by supplying a crafted used.len value through the virtio backend without any action from a victim.
Attack complexityDetail
Exploit conditions are straightforward and reliable; no race conditions, memory-layout dependencies, or special environmental factors are required to produce the overflow.

Blast Radius

An attacker reads uninitialized kernel heap bytes that were never written by the device, which may include residual data such as keys, tokens, or other kernel objects previously occupying that memory region.
An attacker can supply a zero-length completion that causes virtbt_rx_handle() to consume uninitialized memory when reading the pkt_type byte, producing unpredictable kernel behavior.
A malicious or buggy virtio backend can repeatedly trigger the out-of-bounds skb_put(), destabilizing or crashing the Bluetooth subsystem on the host.
Kernel log flooding is possible via the unguarded error path, degrading observability and potentially masking other concurrent attacks.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any customer image carrying a kernel older than the fix versions (5.16, 6.1, 6.6.140, or the upstream commit SHAs listed in the advisory). For customers who opt into auto-remediation, HarborGuard triggers a rebuild against the patched kernel version, runs a regression test suite, and opens a pull request targeting affected workloads; for high-severity issues the median time from CVE publication to merged patch PR is around 90 minutes. Where compliance policy does not permit automatic rebuilds, the finding is surfaced in the triage queue with CVSS 7.7 HIGH scoring and policy-weighted priority. As a compensating control while a kernel upgrade is scheduled, customers can restrict access to the virtio-bt backend surface through container security policy or device assignment controls to limit which workloads can interact with the vulnerable driver path.

See how HarborGuard automates this

CVSS v3.1: 7.7
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

021bd244b6de5d2fe1063c23acc93fbdd2b20d1125.166.16.6.1406.12.886.18.306c1730099a6fc18b183bd6c1adad3b54adcaeda97.0.77.1-rc3b40cdd1b1370d76e9e760af4490cb4a351cceeade6b4296f170d949ebba937cf6a3f247ec9550d2ced41c81d30b211a671667259c3b5feeba0e062d5

Affected packages

Linux / Linux
< ed41c81d30b211a671667259c3b5feeba0e062d5 (from 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be) · < 6c1730099a6fc18b183bd6c1adad3b54adcaeda9 (from 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be) · < b40cdd1b1370d76e9e760af4490cb4a351cceead (from 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be) · < e6b4296f170d949ebba937cf6a3f247ec9550d2c (from 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be) · < 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 (from 160fbcf3bfb93c3c086427f9f4c8bc70f217e9be) · cf2719a21fdb9d4c8e9c834d279163609bef575d
Linux / Linux
6.1
Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available