Skip to main content

Linux Kernel EUVDEUVD-2026-39204

| CVE-2026-53253 HIGH
Out-of-bounds Read (CWE-125)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-p8x7-mcx2-j6w7
7.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
vuln.today AI
6.5 MEDIUM

Adjacent Bluetooth BNEP peer (AV:A), low-complexity short frame (AC:L), no auth or interaction; impact is a kernel-crash DoS (A:H) with a single OOB byte giving no real confidentiality (C:N).

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:44 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.1 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.1
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: bnep: reject short frames before parsing

A BNEP peer can send a short BNEP SDU. bnep_rx_frame() reads the packet type byte immediately and, for control packets, reads the control opcode and setup UUID-size byte before proving that those bytes are present. bnep_rx_control() also dereferences the control opcode without rejecting an empty control payload.

Use skb_pull_data() for the fixed fields in bnep_rx_frame() so a NULL return gates each dereference. Split the control handler so the frame path can pass an opcode that has already been pulled, and keep the byte-buffer wrapper for extension control payloads.

For BNEP_SETUP_CONN_REQ, name the UUID-size byte before pulling the setup payload. struct bnep_setup_conn_req carries destination and source service UUIDs after that byte, each uuid_size bytes, so the parser now documents that tuple explicitly instead of leaving the pull length as an opaque multiplication.

Validation reproduced this kernel report: KASAN slab-out-of-bounds in bnep_rx_frame.isra.0+0x130c/0x1790 The buggy address belongs to the object at ffff88800c0f7908 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes to the right of allocated 1-byte region [ffff88800c0f7908, ffff88800c0f7909) Read of size 1 Call trace: dump_stack_lvl+0xb3/0x140 (?:?) print_address_description+0x57/0x3a0 (?:?) bnep_rx_frame+0x130c/0x1790 (net/bluetooth/bnep/core.c:306) print_report+0xb9/0x2b0 (?:?) __virt_addr_valid+0x1ba/0x3a0 (?:?) srso_alias_return_thunk+0x5/0xfbef5 (?:?) kasan_addr_to_slab+0x21/0x60 (?:?) kasan_report+0xe0/0x110 (?:?) process_one_work+0xfce/0x17e0 (kernel/workqueue.c:3200) worker_thread+0x65c/0xe40 (?:?) __kthread_parkme+0x184/0x230 (?:?) kthread+0x35e/0x470 (?:?) _raw_spin_unlock_irq+0x28/0x50 (?:?) ret_from_fork+0x586/0x870 (?:?) __switch_to+0x74f/0xdc0 (?:?) ret_from_fork_asm+0x1a/0x30 (?:?)

AnalysisAI

Out-of-bounds read in the Linux kernel's Bluetooth BNEP (Bluetooth Network Encapsulation Protocol) subsystem allows an adjacent attacker to crash the kernel by sending a malformed short BNEP frame over an established PAN connection. The flaw in bnep_rx_frame()/bnep_rx_control() in net/bluetooth/bnep/core.c reads the packet-type, control-opcode, and setup UUID-size bytes before confirming they are present, producing a KASAN-confirmed slab-out-of-bounds read past a 1-byte kmalloc-8 allocation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Establish Bluetooth BNEP/PAN session
Delivery
Send truncated short BNEP control frame
Exploit
Parser reads opcode/UUID-size past buffer
Execution
Out-of-bounds read in bnep_rx_frame
Impact
Kernel crash / denial of service

Vulnerability AssessmentAI

Exploitation Requires Bluetooth adjacency (AV:A) and an active BNEP/PAN session: the target must have the Linux Bluetooth bnep module loaded and a BNEP connection established with the attacker as peer. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H, base 7.1) is internally consistent: exploitation requires adjacency (a paired/established Bluetooth BNEP session within radio range), no authentication beyond the Bluetooth link, no user interaction, and the dominant impact is availability (kernel crash/DoS) with at most marginal confidentiality from a single out-of-bounds byte. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker within Bluetooth range establishes or hijacks a BNEP PAN connection to a target Linux device and transmits a deliberately truncated BNEP control frame (e.g., a short BNEP_SETUP_CONN_REQ) that lacks the bytes the parser expects. The kernel reads the opcode/UUID-size fields past the end of a tiny allocation, triggering an out-of-bounds read that crashes the kernel (a panic under KASAN/hardening), denying service to the victim. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or your distribution's backported equivalent), referencing the upstream stable commits at https://git.kernel.org/stable/c/0ef2ea86c82b2615902d085cd5a586fe9f58994f and the other listed git.kernel.org commits. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit Linux systems for active Bluetooth BNEP usage via 'systemctl status bluetooth' and 'lsmod | grep bnep'. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39204 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy