Skip to main content

Linux Kernel EUVDEUVD-2026-39205

| CVE-2026-53254 HIGH
Out-of-bounds Read (CWE-125)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-v722-58f9-vcj4
8.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
8.1 HIGH

Bluetooth proximity gives AV:A; no auth or interaction once in range (PR:N/UI:N/AC:L); out-of-bounds read yields memory disclosure (C:H) and crash (A:H), no write (I:N).

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:45 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.1 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.1
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: RFCOMM: validate skb length in MCC handlers

The RFCOMM MCC handlers cast skb->data to protocol-specific structs without validating skb->len first. A malicious remote device can send truncated MCC frames and trigger out-of-bounds reads in these handlers.

Fix this by using skb_pull_data() to validate and access the required data before dereferencing it.

rfcomm_recv_rpn() requires special handling since ETSI TS 07.10 allows 1-byte RPN requests. Handle this by validating only the DLCI byte first, and validating the full struct only when len > 1.

AnalysisAI

Out-of-bounds read in the Linux kernel's Bluetooth RFCOMM stack allows a malicious paired or in-range remote device to leak adjacent kernel memory or crash the host by sending truncated MCC (Multiplexer Control Channel) frames. The RFCOMM MCC handlers cast skb->data to protocol structs without first checking skb->len, so short frames cause reads past the buffer; impact is confidentiality and availability loss (CVSS 8.1). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position within Bluetooth range
Delivery
Open RFCOMM/MCC session to target
Exploit
Send truncated MCC control frame
Execution
Handler reads past skb buffer
Impact
Leak kernel memory or crash host

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to have the Bluetooth RFCOMM stack loaded and reachable, and the attacker to be within Bluetooth radio range (CVSS AV:A - Adjacent), able to establish or drive an RFCOMM session and send MCC control frames. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a real-but-bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker within Bluetooth range of a target laptop or IoT device initiates an RFCOMM connection and sends a deliberately truncated MCC command frame (for example a short RPN or PN request) whose declared struct is larger than the bytes actually present. The handler reads past the socket buffer, leaking adjacent kernel memory back through protocol responses or crashing the kernel for a denial of service. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 or later as appropriate for your series, or your distribution's equivalent backport. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and catalog all Linux systems with Bluetooth capability, prioritizing production servers, workstations, and IoT infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39205 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy