CVE-2026-46123

EUVD-2026-32882
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: virtio_bt: clamp rx length before skb_put

virtbt_rx_work() calls skb_put(skb, len) where len comes directly
from virtqueue_get_buf() with no validation against the buffer we
posted to the device. The RX skb is allocated in virtbt_add_inbuf()
and exposed to virtio as exactly 1000 bytes via sg_init_one().

Checking len against skb_tailroom(skb) is not sufficient because
alloc_skb() can leave more tailroom than the 1000 bytes actually
handed to the device. A malicious or buggy backend can therefore
report used.len between 1001 and skb_tailroom(skb), causing skb_put()
to include uninitialized kernel heap bytes that were never written by
the device.

The same path also accepts len == 0, in which case skb_put(skb, 0)
leaves the skb empty but virtbt_rx_handle() still reads the pkt_type
byte from skb->data, consuming uninitialized memory.

Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and
sg_init_one(), and gate virtbt_rx_work() on that same constant so
the bound checked matches the buffer actually exposed to the device.
Reject used.len == 0 in the same gate so an empty completion can
no longer reach virtbt_rx_handle().

Use bt_dev_err_ratelimited() because the length value comes from an
untrusted backend that can otherwise flood the kernel log.

Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
overflow in USB transport layer"), which hardened the USB 9p
transport against unchecked device-reported length.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.7 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
5.15.78 ≤
𝑥
< 5.15.209
linuxlinux_kernel
6.0.8 ≤
𝑥
< 6.1
linuxlinux_kernel
6.1.1 ≤
𝑥
< 6.1.175
linuxlinux_kernel
6.2 ≤
𝑥
< 6.6.140
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.88
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.30
linuxlinux_kernel
6.19 ≤
𝑥
< 7.0.7
linuxlinux_kernel
6.1
linuxlinux_kernel
6.1:rc4
linuxlinux_kernel
6.1:rc5
linuxlinux_kernel
6.1:rc6
linuxlinux_kernel
6.1:rc7
linuxlinux_kernel
6.1:rc8
linuxlinux_kernel
7.1:rc1
linuxlinux_kernel
7.1:rc2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.176-1
fixed
bookworm (security)
6.1.176-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.259-1
fixed
forky
7.1.3-1
fixed
sid
7.1.3-1
fixed
trixie
6.12.94-1
fixed
trixie (security)
6.12.95-1
fixed
linux-6.1
bullseye (security)
6.1.176-1~deb11u1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 15 SP5
5.14.21-150500.55.172.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.118.1
fixed
dlm-kmp-default
suse enterprise server 15 SP5
5.14.21-150500.55.172.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.118.1
fixed
gfs2-kmp-default
suse enterprise server 15 SP5
5.14.21-150500.55.172.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.118.1
fixed
kernel-64kb
suse enterprise desktop 15 SP7
6.4.0-150700.53.63.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.63.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.225.2
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.172.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.118.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.63.1
fixed
kernel-default
suse enterprise desktop 15 SP7
6.4.0-150700.53.63.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.63.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.225.2
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.172.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.118.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.63.1
fixed
kernel-default-base
suse enterprise desktop 15 SP7
6.4.0-150700.53.63.1.150700.17.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.63.1.150700.17.37.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.225.2.150400.24.114.2
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.172.2.150500.6.81.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.118.1.150600.12.56.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.63.1.150700.17.37.1
fixed
kernel-obs-build
suse enterprise desktop 15 SP7
6.4.0-150700.53.63.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.63.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.225.2
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.172.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.118.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.63.1
fixed
kernel-source
suse enterprise desktop 15 SP7
6.4.0-150700.53.63.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.63.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.225.2
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.172.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.118.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.63.1
fixed
kernel-zfcpdump
suse enterprise desktop 15 SP7
6.4.0-150700.53.63.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.63.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.225.2
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.172.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.118.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.63.1
fixed
ocfs2-kmp-default
suse enterprise server 15 SP5
5.14.21-150500.55.172.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.118.1
fixed
reiserfs-kmp-default
suse enterprise server 15 SP4
5.14.21-150400.24.225.2
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.172.2
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.118.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
kernel
Azure Linux 3.0
0:6.6.141.1-1.azl3
fixed