Skip to main content

Linux Kernel EUVDEUVD-2026-39300

| CVE-2026-53209 HIGH
Out-of-bounds Write (CWE-787)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-jfwg-qvfj-22x4
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local-only path (AV:L) reachable by a user with Bluetooth-management privilege (PR:L); kernel buffer overrun yields full memory-corruption impact, so C/I/A High.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:33 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend

Existing advertising instances can already hold the maximum extended advertising payload. When hci_adv_bcast_annoucement() prepends the Broadcast Announcement service data to that payload, the combined data may no longer fit in the temporary buffer used to rebuild the advertising data.

Reject that case before copying the existing payload and report the failure through the device log. This keeps the existing advertising data intact and avoids overrunning the temporary buffer.

AnalysisAI

Memory corruption in the Linux kernel Bluetooth subsystem (hci_sync) allows a local privileged user to overrun a temporary buffer when the Broadcast Announcement service data is prepended to an already-maximum-sized extended advertising payload. The flaw affects systems using Bluetooth LE Audio / Broadcast Audio Profile advertising; the upstream fix rejects the oversized combination before copying, preserving the existing advertising data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local privileged Bluetooth access
Delivery
Configure max-size extended advertising instance
Exploit
Enable LE Audio broadcast announcement
Execution
Prepend overruns temporary buffer
Impact
Kernel memory corruption (DoS / potential escalation)

Vulnerability AssessmentAI

Exploitation Exploitation requires local access with the capability to manage Bluetooth advertising (typically CAP_NET_ADMIN), and the system must use LE Audio Broadcast Announcement advertising. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent toward a moderate, locally-scoped kernel memory-safety bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with Bluetooth management privileges configures an extended advertising instance carrying the maximum-size payload, then enables a LE Audio broadcast source so the kernel prepends the Broadcast Announcement service data, overrunning the temporary advertising buffer. The resulting kernel memory corruption could crash the system (denial of service) or, with careful layout control, be leveraged toward privilege escalation. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later) depending on your branch - or apply the distribution kernel update that backports the corresponding git.kernel.org commits (02f50e8bb69f, 10b0e832cc05, 1338ee049a89, 5c65b96b549e, cdd8bbdbee76, dafc9f57140e). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems with Bluetooth LE Audio and Broadcast Audio Profile support. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39300 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy