Skip to main content

Linux Kernel CVE-2026-53255

| EUVDEUVD-2026-39206 HIGH
Out-of-bounds Read (CWE-125)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-hxxh-4jr7-w99w
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
4.4 MEDIUM

Local HCI MGMT access needs Bluetooth privileges (PR:L, AV:L); a one-byte OOB read leaks minimal data (C:L) and only crashes on hardened/KASAN kernels (A:L), with no integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 17:03 vuln.today
CVSS changed
Jul 08, 2026 - 16:52 NVD
7.1 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
HIGH 7.1
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: validate advertising TLV before type checks

tlv_data_is_valid() reads each advertising data field length from data[i], then inspects data[i + 1] for managed EIR types before checking that the current field still fits inside the supplied buffer.

A malformed field whose length byte is the last byte of the buffer can therefore make the parser read one byte past the advertising data.

KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING request reached that path:

BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid() Read of size 1 Call trace: tlv_data_is_valid() add_advertising() hci_mgmt_cmd() hci_sock_sendmsg()

Move the existing element-length check before any type-octet inspection so each non-empty element is proven to contain its type byte before the parser looks at data[i + 1].

AnalysisAI

Out-of-bounds read in the Linux kernel Bluetooth management (MGMT) interface lets a local user with Bluetooth privileges trigger a one-byte read past the advertising-data buffer by submitting a malformed MGMT_OP_ADD_ADVERTISING request. The flaw lives in tlv_data_is_valid(), which inspects the type octet at data[i+1] before confirming the current TLV element fits in the buffer; KASAN flags it as a vmalloc-out-of-bounds read. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local Bluetooth-management privileges
Delivery
Open HCI MGMT socket
Exploit
Send malformed MGMT_OP_ADD_ADVERTISING with trailing length byte
Execution
tlv_data_is_valid reads one byte past buffer
Impact
Leak adjacent kernel byte or trigger KASAN panic

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to the target and the ability to issue Bluetooth MGMT commands over an HCI socket (effectively CAP_NET_ADMIN), plus a kernel built with the Bluetooth MGMT subsystem enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, base 7.1) correctly models this as a locally exploitable, low-privilege issue with no user interaction, and its EPSS score of 0.17% (7th percentile) plus absence from CISA KEV indicate this is not a mass-exploitation priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user or a compromised low-privilege service that holds Bluetooth management rights opens an HCI MGMT socket and sends a crafted MGMT_OP_ADD_ADVERTISING command whose final advertising-data element has a length byte as the last byte of the buffer. The kernel's tlv_data_is_valid() reads one byte past the allocation while checking the element type, disclosing adjacent kernel memory or, on a KASAN/hardened kernel, triggering a panic. …
Remediation Apply the vendor-released stable kernel updates that reorder the element-length check before the type-octet inspection: upgrade to at least 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, or 7.0.13 depending on your branch, or pull your distribution's kernel package that incorporates the fix for CVE-2026-53255 (fix commits listed at git.kernel.org/stable, e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Linux systems with active Bluetooth and document user access controls to Bluetooth functionality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy