CVE-2026-46123
EUVD-2026-3288228.05.2026, 10:16
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: virtio_bt: clamp rx length before skb_put
virtbt_rx_work() calls skb_put(skb, len) where len comes directly
from virtqueue_get_buf() with no validation against the buffer we
posted to the device. The RX skb is allocated in virtbt_add_inbuf()
and exposed to virtio as exactly 1000 bytes via sg_init_one().
Checking len against skb_tailroom(skb) is not sufficient because
alloc_skb() can leave more tailroom than the 1000 bytes actually
handed to the device. A malicious or buggy backend can therefore
report used.len between 1001 and skb_tailroom(skb), causing skb_put()
to include uninitialized kernel heap bytes that were never written by
the device.
The same path also accepts len == 0, in which case skb_put(skb, 0)
leaves the skb empty but virtbt_rx_handle() still reads the pkt_type
byte from skb->data, consuming uninitialized memory.
Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and
sg_init_one(), and gate virtbt_rx_work() on that same constant so
the bound checked matches the buffer actually exposed to the device.
Reject used.len == 0 in the same gate so an empty completion can
no longer reach virtbt_rx_handle().
Use bt_dev_err_ratelimited() because the length value comes from an
untrusted backend that can otherwise flood the kernel log.
Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
overflow in USB transport layer"), which hardened the USB 9p
transport against unchecked device-reported length.EnginsightAffected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 5.15.78 ≤ 𝑥 < 5.15.209 |
| linux | linux_kernel | 6.0.8 ≤ 𝑥 < 6.1 |
| linux | linux_kernel | 6.1.1 ≤ 𝑥 < 6.1.175 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.140 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.88 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.18.30 |
| linux | linux_kernel | 6.19 ≤ 𝑥 < 7.0.7 |
| linux | linux_kernel | 6.1 |
| linux | linux_kernel | 6.1:rc4 |
| linux | linux_kernel | 6.1:rc5 |
| linux | linux_kernel | 6.1:rc6 |
| linux | linux_kernel | 6.1:rc7 |
| linux | linux_kernel | 6.1:rc8 |
| linux | linux_kernel | 7.1:rc1 |
| linux | linux_kernel | 7.1:rc2 |
𝑥
= Vulnerable software versions
Debian Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| cluster-md-kmp-default |
| ||||||||||||
| dlm-kmp-default |
| ||||||||||||
| gfs2-kmp-default |
| ||||||||||||
| kernel-64kb |
| ||||||||||||
| kernel-default |
| ||||||||||||
| kernel-default-base |
| ||||||||||||
| kernel-obs-build |
| ||||||||||||
| kernel-source |
| ||||||||||||
| kernel-zfcpdump |
| ||||||||||||
| ocfs2-kmp-default |
| ||||||||||||
| reiserfs-kmp-default |
|
Common Weakness Enumeration
Vulnerability Media Exposure
References