PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46138 Linux CVE debrief

A vulnerability in the Linux kernel's Bluetooth subsystem could allow an out-of-bounds read and trigger an infinite loop when processing LE Create BIG Complete events. The hci_le_create_big_complete_evt() function iterates over BT_BOUND connections for a Broadcast Isochronous Group (BIG) handle using a while loop, accessing ev->bis_handle[i++] on each iteration without verifying that the index i remains within the bounds of ev->num_bis. If a Bluetooth controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis set to zero, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Because out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them, leaving the connection in BT_BOUND state. The same connection is then rediscovered by hci_conn_hash_lookup_big_state(), creating an infinite loop while holding hci_dev_lock. The fix terminates the BIG when not all BIS connections can be properly established.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Linux system administrators, kernel maintainers, embedded device manufacturers using Bluetooth LE Audio, and security teams monitoring for denial-of-service conditions in Bluetooth subsystems

Technical summary

The vulnerability exists in net/bluetooth/hci_event.c in the hci_le_create_big_complete_evt() function. When processing LE_Create_BIG_Complete events from a Bluetooth controller, the function uses a while loop to iterate over BT_BOUND connections and assign BIS handles from the event's bis_handle[] flex array. The loop increments index i without checking against ev->num_bis, permitting out-of-bounds reads when the controller provides fewer handles than expected or sets num_bis=0. Rejected out-of-bounds handle values leave connections in BT_BOUND state, causing the same connection to be repeatedly found and processed, resulting in an infinite loop with hci_dev_lock held. The fix adds proper validation and BIG termination when BIS setup fails.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates containing the fix for hci_le_create_big_complete_evt() once available from your Linux distribution
  • Monitor stable kernel branches for backported patches to affected versions
  • Review Bluetooth controller firmware for compliance with LE Audio BIG event specifications
  • Consider disabling Bluetooth or LE Audio features on critical systems until patches are applied
  • Audit systems for unexpected hci_dev_lock contention or soft lockups as potential indicators of exploitation attempts

Evidence notes

Vulnerability description confirms OOB read and infinite loop conditions in hci_le_create_big_complete_evt(). Kernel commit references indicate stable branch backports. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources

2026-05-28