CVE-2026-46138: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held. Fix this by terminating the BIG if in case not all BIS could be setup properly.
HarborGuard Analysis
HarborGuard analysisSynopsis
An out-of-bounds (OOB) heap read and infinite loop vulnerability exists in the Linux kernel's Bluetooth HCI event handler, specifically in the hci_le_create_big_complete_evt function. A physically adjacent attacker (on the same LAN, VLAN, or Bluetooth broadcast domain) can trigger the flaw without any authentication by sending a malformed LE_Create_BIG_Complete event with fewer BIS handle entries than expected, causing the kernel to read beyond a flex array into adjacent heap memory and potentially spin indefinitely with the device lock held. Successful exploitation leaks sensitive kernel heap memory contents and causes a denial of service via an unkillable infinite loop holding hci_dev_lock. Patched-image rebuilds at the fix versions (6.5, 6.6, and specific upstream commits) are available on HarborGuard for environments running an affected kernel version.
HarborGuard Coverage
Detection of CVE-2026-46138 is available across every HarborGuard environment, with the CVE ingested from upstream feeds and matched against customer images within minutes of publication. This matching capability covers all images in connected registries and CI/CD pipelines, including custom-built images that package an affected Linux kernel version.
AvailableTriage is available using the CVSS v3.1 score of 8.1 (HIGH), with per-environment compliance policy weighting applied to prioritize findings based on each customer organization's risk thresholds. Findings are routed to the appropriate team inbox inside each customer org based on configured ownership rules.
AvailableA patched-image rebuild at the fix versions (6.5, 6.6, and the upstream commit refs) is available on HarborGuard for any image found to carry an affected kernel version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityDetail
The attacker must be on an adjacent network segment (same LAN, VLAN, or Bluetooth broadcast domain); remote over-the-internet exploitation is not possible without that adjacency.
- AuthenticationNot required
No credentials or account are needed to send the malformed Bluetooth HCI event that triggers the vulnerability.
- Victim interactionNot required
The vulnerable code path is reached through a controller-originated event with no user interaction required.
- Attack complexityDetail
Exploitation is reliable and condition-free once adjacency is established; no race conditions or special memory layout is required.
Blast Radius
- An attacker reads raw kernel heap memory adjacent to the bis_handle flex array, which may contain sensitive in-memory data such as kernel pointers, socket buffers, or cryptographic material.
- The infinite loop holds hci_dev_lock indefinitely, stalling all Bluetooth HCI operations on the affected host and producing a hard denial-of-service condition that typically requires a reboot to resolve.
- No write or code-execution primitive is exposed by this specific flaw; integrity of kernel memory is not directly compromised.
How HarborGuard Handles This
Available on HarborGuard: any image carrying a Linux kernel version older than the fix commits (targeting 6.5 and 6.6 stable lines) is flagged immediately upon scan. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the patched kernel version, runs a regression test suite, and opens a pull request against affected workloads; for high-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where a kernel upgrade is not immediately feasible, compensating controls include network-policy isolation to restrict adjacent-layer Bluetooth or VLAN access to affected hosts, and egress filtering to limit exposure of Bluetooth broadcast domains to untrusted peers. HarborGuard re-checks the advisory on every ingest cycle, so any additional fix commits published upstream will trigger a new rebuild offer automatically.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
- Linux / Linux< 6cb7f67bc28da787499291a562d49a084d9c90cd (from a0bfde167b506423111ddb8cd71930497a40fc54) · < 22559ad7654f61727fc270ee4893da9f4b70cf17 (from a0bfde167b506423111ddb8cd71930497a40fc54) · < 77981a507aa0fc001dc37f0dd6631dd2042fed17 (from a0bfde167b506423111ddb8cd71930497a40fc54) · < 665da0baaf0396f9ed3c86ccb3955dcd0b73e774 (from a0bfde167b506423111ddb8cd71930497a40fc54) · < 5ddb8014261137cadaf83ab5617a588d80a22586 (from a0bfde167b506423111ddb8cd71930497a40fc54) · b475c1109251e30ec21fb574d72a1c71a4ab0039
- Linux / Linux6.6Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H