Skip to main content

Linux Kernel EUVDEUVD-2026-32813

| CVE-2026-46186 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6g4j-4jrg-pgpx
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.1 MEDIUM

AV:L and PR:L reflect virtio backend control requirement; C:L added because uninitialized RX-buffer bytes are demonstrably read, per description and Information Disclosure tag.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 11, 2026 - 03:10 vuln.today
CVSS changed
Jun 11, 2026 - 03:07 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: virtio_bt: validate rx pkt_type header length

virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.

After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.

After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.

Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.

AnalysisAI

Uninitialized memory read in Linux kernel's Bluetooth virtio_bt driver allows a malicious or compromised virtio backend to trigger kernel DoS and potential information disclosure against guest VMs. The driver's virtbt_rx_handle() function fails to validate that received RX socket buffers contain sufficient bytes to cover the fixed HCI header for the declared packet type before forwarding to hci_recv_frame(). A backend-supplied one-byte completion with type HCI_ACLDATA_PKT causes the ACL classification path in hci_dev_classify_pkt_type() to dereference hci_acl_hdr(skb)->handle on an empty buffer when the HCI device holds an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with a kernel subsystem bug requiring privileged backend access in a virtualized environment.

Technical ContextAI

The virtio_bt driver (drivers/bluetooth/virtio_bt.c) implements a Bluetooth HCI transport over virtio for virtualized guests. The affected function virtbt_rx_handle() strips the leading pkt_type byte from each received skb and dispatches the remainder to the core hci_recv_frame() for HCI_EVENT_PKT, HCI_ACLDATA_PKT, HCI_SCODATA_PKT, and HCI_ISODATA_PKT types. The root cause is CWE-908 (Use of Uninitialized Resource): the driver never checks skb->len against the type-specific minimum HCI header sizes (event: 2 bytes, ACL: 4 bytes, SCO: 3 bytes, ISO: 4 bytes) after stripping pkt_type. Because the virtio backend can supply an arbitrarily small used.len, a one-byte buffer results in skb->len == 0 after the pull, and hci_dev_classify_pkt_type() then reads past the valid buffer bounds. The tags 'Information Disclosure' suggest the uninitialized read may leak kernel RX-buffer contents, though the NVD-provided CVSS marks C:N. Affected CPEs cover cpe:2.3:o:linux:linux_kernel across multiple version ranges including 6.1:rc4 and 6.1:rc5 specifically.

RemediationAI

The primary fix is to upgrade to a patched kernel version: 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3, per EUVD-confirmed patch data. Upstream fix commits are available at https://git.kernel.org/stable/c/1e1e509b6fd2a42421745bbcd98bd16daad20904, https://git.kernel.org/stable/c/2c1143564c71e7497b42d8360a8379ccbb011d3c, https://git.kernel.org/stable/c/3485c7236c59c8c34a41af1c4b52982437554e79, https://git.kernel.org/stable/c/daf23014e5d975e72ea9c02b5160d3fcf070ea47, and https://git.kernel.org/stable/c/f743eab6486965f276c7e3f1700895f014fdc6db. As a compensating control on unpatched systems, unload or blacklist the virtio_bt kernel module (modprobe -r virtio_bt; echo 'blacklist virtio_bt' >> /etc/modprobe.d/blacklist.conf) if Bluetooth passthrough via virtio is not required - this eliminates the attack surface entirely but disables all virtio Bluetooth functionality. Environments that require virtio_bt should treat the virtio backend as a trust boundary and ensure hypervisor-level isolation prevents tenant-accessible backend manipulation.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32813 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy