CVE-2026-46186 Linux CVE debrief

Who should care

Organizations running virtualized Linux workloads with Bluetooth virtio transport enabled; cloud providers offering nested virtualization with Bluetooth passthrough; security teams monitoring kernel memory safety issues in virtualization stacks

Technical summary

The virtio_bt driver in the Linux kernel failed to validate that received Bluetooth packets contained sufficient data for their declared packet type headers. After stripping the leading pkt_type byte, the driver forwarded remaining SKB data to hci_recv_frame() without checking minimum length requirements: 2 bytes for HCI events, 4 bytes for ACL data, 3 bytes for SCO data, and 4 bytes for ISO data. This allowed a malicious virtio backend to send single-byte packets that would cause the HCI core to read beyond valid buffer boundaries when classifying packet types, specifically triggering uninitialized memory reads in hci_dev_classify_pkt_type() when ISO connections were active. The vulnerability is exploitable only from within the virtualized environment by a compromised backend, not remotely over Bluetooth radio.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable branches: 6.1.x, 6.6.x, 6.12.x, 6.14.x, and 6.15.x
• Validate virtio_bt driver is updated to include pkt_type header length validation
• Monitor kernel logs for bt_dev_err_ratelimited messages indicating malformed packets from backend
• Review virtualization backend security posture as exploit requires compromised or malicious backend
• Consider disabling Bluetooth virtio transport in high-security virtualized environments if not required

Evidence notes

Vulnerability description and patch details sourced from official CVE record and kernel.org stable tree commits. The issue was resolved by commits across multiple stable kernel branches.

Official resources