Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Local HCI MGMT access needs Bluetooth privileges (PR:L, AV:L); a one-byte OOB read leaks minimal data (C:L) and only crashes on hardened/KASAN kernels (A:L), with no integrity impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: validate advertising TLV before type checks
tlv_data_is_valid() reads each advertising data field length from data[i], then inspects data[i + 1] for managed EIR types before checking that the current field still fits inside the supplied buffer.
A malformed field whose length byte is the last byte of the buffer can therefore make the parser read one byte past the advertising data.
KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING request reached that path:
BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid() Read of size 1 Call trace: tlv_data_is_valid() add_advertising() hci_mgmt_cmd() hci_sock_sendmsg()
Move the existing element-length check before any type-octet inspection so each non-empty element is proven to contain its type byte before the parser looks at data[i + 1].
AnalysisAI
Out-of-bounds read in the Linux kernel Bluetooth management (MGMT) interface lets a local user with Bluetooth privileges trigger a one-byte read past the advertising-data buffer by submitting a malformed MGMT_OP_ADD_ADVERTISING request. The flaw lives in tlv_data_is_valid(), which inspects the type octet at data[i+1] before confirming the current TLV element fits in the buffer; KASAN flags it as a vmalloc-out-of-bounds read. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to the target and the ability to issue Bluetooth MGMT commands over an HCI socket (effectively CAP_NET_ADMIN), plus a kernel built with the Bluetooth MGMT subsystem enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, base 7.1) correctly models this as a locally exploitable, low-privilege issue with no user interaction, and its EPSS score of 0.17% (7th percentile) plus absence from CISA KEV indicate this is not a mass-exploitation priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user or a compromised low-privilege service that holds Bluetooth management rights opens an HCI MGMT socket and sends a crafted MGMT_OP_ADD_ADVERTISING command whose final advertising-data element has a length byte as the last byte of the buffer. The kernel's tlv_data_is_valid() reads one byte past the allocation while checking the element type, disclosing adjacent kernel memory or, on a KASAN/hardened kernel, triggering a panic. … |
| Remediation | Apply the vendor-released stable kernel updates that reorder the element-length check before the type-octet inspection: upgrade to at least 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, or 7.0.13 depending on your branch, or pull your distribution's kernel package that incorporates the fix for CVE-2026-53255 (fix commits listed at git.kernel.org/stable, e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory Linux systems with active Bluetooth and document user access controls to Bluetooth functionality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39206
GHSA-hxxh-4jr7-w99w