Skip to main content

Linux Kernel CVE-2026-46123

| EUVDEUVD-2026-32882 HIGH
Out-of-bounds Write (CWE-787)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-qxc2-9rg4-2rgv
7.7
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.7 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:52 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.7 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.7
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: virtio_bt: clamp rx length before skb_put

virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().

Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.

The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.

Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().

Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.

Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer overflow in USB transport layer"), which hardened the USB 9p transport against unchecked device-reported length.

AnalysisAI

Out-of-bounds read and information disclosure in the Linux kernel's virtio_bt (virtio Bluetooth) driver allows a malicious or buggy virtio backend to leak uninitialized kernel heap memory into received Bluetooth skbs. The virtbt_rx_work() function trusted the device-reported length from virtqueue_get_buf() without clamping it to the 1000-byte buffer actually exposed via sg_init_one(), so a hostile backend can report lengths between 1001 and skb_tailroom() - or 0 - causing skb_put() to expose untouched heap bytes or virtbt_rx_handle() to read an uninitialized pkt_type. No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), but a vendor patch is available.

Technical ContextAI

The flaw lives in drivers/bluetooth/virtio_bt.c, the para-virtualized Bluetooth transport that lets a guest VM (or other virtio consumer) talk to a Bluetooth HCI implemented in the host/backend. RX buffers are allocated with alloc_skb() and posted to the virtqueue as exactly 1000 bytes via sg_init_one(), but alloc_skb() rounds up and may leave skb_tailroom() larger than that 1000-byte window. When the backend completes the buffer, virtbt_rx_work() called skb_put(skb, len) using the backend-supplied length, comparing only against skb_tailroom() rather than against the size actually handed to the device. This is a CWE-908 / CWE-125 class issue (use of uninitialized resource / out-of-bounds read) driven by trusting an untrusted virtio peer; the fix defines VIRTBT_RX_BUF_SIZE, uses it consistently for allocation, scatter-gather mapping, and the bound check, and rejects len==0 so empty completions cannot reach virtbt_rx_handle(). The commit explicitly references commit c04db81cd028 (net/9p USB transport) as the same bug class.

RemediationAI

Vendor-released patch: update to a Linux stable release containing the virtio_bt clamp fix - specifically 6.6.140 or later on the 6.6 LTS line, 6.12.88 or later on 6.12, 6.18.30 or later on 6.18, 7.0.7 or later on 7.0, or mainline 7.1-rc3+, pulling distribution kernels rebased on these commits (21bd244b, 6c173009, b40cdd1b, e6b4296f, ed41c81d on git.kernel.org/stable). Until the patched kernel is deployed, the most effective workaround is to prevent the vulnerable driver from being loaded by blacklisting the virtio_bt module (echo 'blacklist virtio_bt' into /etc/modprobe.d/ and rebuilding initramfs) or by not attaching a virtio Bluetooth device to guests; the trade-off is loss of paravirtualized Bluetooth functionality in any VM that legitimately uses it. For confidential computing / VMM-untrusted threat models, also consider disabling unused virtio device classes at guest boot and treating the host backend as untrusted in your kernel hardening profile. Consult the upstream commits linked above for distro backport tracking.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46123 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy