Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Bluetooth proximity gives AV:A; no auth or interaction once in range (PR:N/UI:N/AC:L); out-of-bounds read yields memory disclosure (C:H) and crash (A:H), no write (I:N).
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: RFCOMM: validate skb length in MCC handlers
The RFCOMM MCC handlers cast skb->data to protocol-specific structs without validating skb->len first. A malicious remote device can send truncated MCC frames and trigger out-of-bounds reads in these handlers.
Fix this by using skb_pull_data() to validate and access the required data before dereferencing it.
rfcomm_recv_rpn() requires special handling since ETSI TS 07.10 allows 1-byte RPN requests. Handle this by validating only the DLCI byte first, and validating the full struct only when len > 1.
AnalysisAI
Out-of-bounds read in the Linux kernel's Bluetooth RFCOMM stack allows a malicious paired or in-range remote device to leak adjacent kernel memory or crash the host by sending truncated MCC (Multiplexer Control Channel) frames. The RFCOMM MCC handlers cast skb->data to protocol structs without first checking skb->len, so short frames cause reads past the buffer; impact is confidentiality and availability loss (CVSS 8.1). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to have the Bluetooth RFCOMM stack loaded and reachable, and the attacker to be within Bluetooth radio range (CVSS AV:A - Adjacent), able to establish or drive an RFCOMM session and send MCC control frames. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a real-but-bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker within Bluetooth range of a target laptop or IoT device initiates an RFCOMM connection and sends a deliberately truncated MCC command frame (for example a short RPN or PN request) whose declared struct is larger than the bytes actually present. The handler reads past the socket buffer, leaking adjacent kernel memory back through protocol responses or crashing the kernel for a denial of service. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 or later as appropriate for your series, or your distribution's equivalent backport. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and catalog all Linux systems with Bluetooth capability, prioritizing production servers, workstations, and IoT infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39205
GHSA-v722-58f9-vcj4