Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only path (AV:L) reachable by a user with Bluetooth-management privilege (PR:L); kernel buffer overrun yields full memory-corruption impact, so C/I/A High.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
Existing advertising instances can already hold the maximum extended advertising payload. When hci_adv_bcast_annoucement() prepends the Broadcast Announcement service data to that payload, the combined data may no longer fit in the temporary buffer used to rebuild the advertising data.
Reject that case before copying the existing payload and report the failure through the device log. This keeps the existing advertising data intact and avoids overrunning the temporary buffer.
AnalysisAI
Memory corruption in the Linux kernel Bluetooth subsystem (hci_sync) allows a local privileged user to overrun a temporary buffer when the Broadcast Announcement service data is prepended to an already-maximum-sized extended advertising payload. The flaw affects systems using Bluetooth LE Audio / Broadcast Audio Profile advertising; the upstream fix rejects the oversized combination before copying, preserving the existing advertising data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access with the capability to manage Bluetooth advertising (typically CAP_NET_ADMIN), and the system must use LE Audio Broadcast Announcement advertising. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent toward a moderate, locally-scoped kernel memory-safety bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with Bluetooth management privileges configures an extended advertising instance carrying the maximum-size payload, then enables a LE Audio broadcast source so the kernel prepends the Broadcast Announcement service data, overrunning the temporary advertising buffer. The resulting kernel memory corruption could crash the system (denial of service) or, with careful layout control, be leveraged toward privilege escalation. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later) depending on your branch - or apply the distribution kernel update that backports the corresponding git.kernel.org commits (02f50e8bb69f, 10b0e832cc05, 1338ee049a89, 5c65b96b549e, cdd8bbdbee76, dafc9f57140e). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Linux systems with Bluetooth LE Audio and Broadcast Audio Profile support. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39300
GHSA-jfwg-qvfj-22x4