{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46123","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.098Z","datePublished":"2026-05-28T09:35:38.003Z","dateUpdated":"2026-06-14T17:56:08.614Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-14T17:56:08.614Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: virtio_bt: clamp rx length before skb_put\n\nvirtbt_rx_work() calls skb_put(skb, len) where len comes directly\nfrom virtqueue_get_buf() with no validation against the buffer we\nposted to the device. The RX skb is allocated in virtbt_add_inbuf()\nand exposed to virtio as exactly 1000 bytes via sg_init_one().\n\nChecking len against skb_tailroom(skb) is not sufficient because\nalloc_skb() can leave more tailroom than the 1000 bytes actually\nhanded to the device. A malicious or buggy backend can therefore\nreport used.len between 1001 and skb_tailroom(skb), causing skb_put()\nto include uninitialized kernel heap bytes that were never written by\nthe device.\n\nThe same path also accepts len == 0, in which case skb_put(skb, 0)\nleaves the skb empty but virtbt_rx_handle() still reads the pkt_type\nbyte from skb->data, consuming uninitialized memory.\n\nDefine VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and\nsg_init_one(), and gate virtbt_rx_work() on that same constant so\nthe bound checked matches the buffer actually exposed to the device.\nReject used.len == 0 in the same gate so an empty completion can\nno longer reach virtbt_rx_handle().\n\nUse bt_dev_err_ratelimited() because the length value comes from an\nuntrusted backend that can otherwise flood the kernel log.\n\nSame class of bug as commit c04db81cd028 (\"net/9p: Fix buffer\noverflow in USB transport layer\"), which hardened the USB 9p\ntransport against unchecked device-reported length."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":7.7,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/bluetooth/virtio_bt.c"],"versions":[{"version":"cf2719a21fdb9d4c8e9c834d279163609bef575d","lessThan":"4236e55b2d9d1ffd3b4bdf8ebbb86e5a0a526b4a","status":"affected","versionType":"git"},{"version":"160fbcf3bfb93c3c086427f9f4c8bc70f217e9be","lessThan":"fd91fa2678ab603dfb285416c1cf3843d7be1e41","status":"affected","versionType":"git"},{"version":"160fbcf3bfb93c3c086427f9f4c8bc70f217e9be","lessThan":"ed41c81d30b211a671667259c3b5feeba0e062d5","status":"affected","versionType":"git"},{"version":"160fbcf3bfb93c3c086427f9f4c8bc70f217e9be","lessThan":"6c1730099a6fc18b183bd6c1adad3b54adcaeda9","status":"affected","versionType":"git"},{"version":"160fbcf3bfb93c3c086427f9f4c8bc70f217e9be","lessThan":"b40cdd1b1370d76e9e760af4490cb4a351cceead","status":"affected","versionType":"git"},{"version":"160fbcf3bfb93c3c086427f9f4c8bc70f217e9be","lessThan":"e6b4296f170d949ebba937cf6a3f247ec9550d2c","status":"affected","versionType":"git"},{"version":"160fbcf3bfb93c3c086427f9f4c8bc70f217e9be","lessThan":"21bd244b6de5d2fe1063c23acc93fbdd2b20d112","status":"affected","versionType":"git"},{"version":"9b67438e315b925a699f0178f4a48baf3d2d6ef4","status":"affected","versionType":"git"},{"version":"5.15.78","lessThan":"5.15.209","status":"affected","versionType":"semver"},{"version":"6.0.8","lessThan":"6.1","status":"affected","versionType":"semver"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/bluetooth/virtio_bt.c"],"versions":[{"version":"6.1","status":"affected"},{"version":"0","lessThan":"6.1","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.78","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.12.88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.18.30"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"7.0.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"7.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4236e55b2d9d1ffd3b4bdf8ebbb86e5a0a526b4a"},{"url":"https://git.kernel.org/stable/c/fd91fa2678ab603dfb285416c1cf3843d7be1e41"},{"url":"https://git.kernel.org/stable/c/ed41c81d30b211a671667259c3b5feeba0e062d5"},{"url":"https://git.kernel.org/stable/c/6c1730099a6fc18b183bd6c1adad3b54adcaeda9"},{"url":"https://git.kernel.org/stable/c/b40cdd1b1370d76e9e760af4490cb4a351cceead"},{"url":"https://git.kernel.org/stable/c/e6b4296f170d949ebba937cf6a3f247ec9550d2c"},{"url":"https://git.kernel.org/stable/c/21bd244b6de5d2fe1063c23acc93fbdd2b20d112"}],"title":"Bluetooth: virtio_bt: clamp rx length before skb_put","x_generator":{"engine":"bippy-1.2.0"}}}}