PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46123 Linux CVE debrief

A buffer validation flaw in the Linux kernel's Bluetooth virtio transport driver (virtio_bt) allows a malicious or buggy hypervisor/backend to cause information disclosure via uninitialized kernel heap memory. The virtbt_rx_work() function accepts length values from virtqueue_get_buf() without proper bounds checking against the actual buffer size exposed to the device. While the RX buffer is allocated as 1000 bytes and exposed via sg_init_one(), skb_tailroom() may report additional space, enabling a backend to report used.len between 1001 and skb_tailroom(skb). This causes skb_put() to include uninitialized heap bytes. Additionally, len == 0 is accepted, causing virtbt_rx_handle() to read uninitialized memory when accessing skb->data for the pkt_type byte. The fix defines VIRTBT_RX_BUF_SIZE as a single constant used consistently across allocation, scatter-gather setup, and validation, rejecting both oversized and zero-length completions. Rate-limited error logging is used to prevent log flooding from untrusted backends. This vulnerability class matches prior hardening in the 9p USB transport layer (commit c04db81cd028).

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Organizations running Linux guests with Bluetooth virtio passthrough in virtualized environments; cloud providers offering nested virtualization; security teams monitoring for hypervisor escape or information disclosure vectors; kernel maintainers backporting stable fixes

Technical summary

The virtio_bt driver in the Linux kernel failed to validate RX buffer lengths returned by virtqueue_get_buf() against the actual 1000-byte buffer exposed to the virtio device. skb_tailroom() can exceed the exposed buffer size, allowing a malicious backend to trigger inclusion of uninitialized kernel heap memory in socket buffers. Zero-length completions were also improperly handled, causing reads from uninitialized skb->data. The fix centralizes buffer size definition and enforces strict bounds checking with rate-limited error reporting.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates containing the virtio_bt fixes from the referenced stable kernel commits
  • Verify virtio_bt driver is not loaded on systems where Bluetooth over virtio is not required
  • Monitor kernel logs for bt_dev_err_ratelimited messages indicating backend length anomalies
  • Review virtualization configurations to ensure trusted hypervisor backends
  • Audit systems running as virtio guests with Bluetooth passthrough for unexpected memory exposure indicators

Evidence notes

Vulnerability description confirms the buffer size mismatch between sg_init_one() exposure (1000 bytes) and skb_tailroom() potential over-reporting. Fix introduces VIRTBT_RX_BUF_SIZE constant for consistent bounds checking. Zero-length completion path also hardened. Source references include five stable kernel commits indicating backports to multiple kernel versions.

Official resources

2026-05-28