{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-53255","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.394Z","datePublished":"2026-06-25T08:39:45.934Z","dateUpdated":"2026-06-25T08:39:45.934Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-25T08:39:45.934Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate advertising TLV before type checks\n\ntlv_data_is_valid() reads each advertising data field length from\ndata[i], then inspects data[i + 1] for managed EIR types before\nchecking that the current field still fits inside the supplied buffer.\n\nA malformed field whose length byte is the last byte of the buffer can\ntherefore make the parser read one byte past the advertising data.\n\nKASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING\nrequest reached that path:\n\n  BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid()\n  Read of size 1\n  Call trace:\n    tlv_data_is_valid()\n    add_advertising()\n    hci_mgmt_cmd()\n    hci_sock_sendmsg()\n\nMove the existing element-length check before any type-octet inspection\nso each non-empty element is proven to contain its type byte before the\nparser looks at data[i + 1]."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/mgmt.c"],"versions":[{"version":"2bb36870e8cb29949ef9acec37129cd8e70f1857","lessThan":"13ad995071a06570668dd8daab3616c247c72080","status":"affected","versionType":"git"},{"version":"2bb36870e8cb29949ef9acec37129cd8e70f1857","lessThan":"06fcbd79c3c360a50f9be9d370769bbd738d0976","status":"affected","versionType":"git"},{"version":"2bb36870e8cb29949ef9acec37129cd8e70f1857","lessThan":"f7093ac233c1e7f51d125534f46067772a113175","status":"affected","versionType":"git"},{"version":"2bb36870e8cb29949ef9acec37129cd8e70f1857","lessThan":"74c08e4db35a476c3462aeb65846f955be732626","status":"affected","versionType":"git"},{"version":"2bb36870e8cb29949ef9acec37129cd8e70f1857","lessThan":"18fea1cb0c2599752e908c8217490f73ddd33e00","status":"affected","versionType":"git"},{"version":"2bb36870e8cb29949ef9acec37129cd8e70f1857","lessThan":"1a3c8ffbb469859b076445af44bdfa6a711d483e","status":"affected","versionType":"git"},{"version":"2bb36870e8cb29949ef9acec37129cd8e70f1857","lessThan":"2a3f3ed9e198ae23c15859ace2f9ca6cfdc35b57","status":"affected","versionType":"git"},{"version":"2bb36870e8cb29949ef9acec37129cd8e70f1857","lessThan":"de23fb62259aa01d294f77238ae3b835eb674413","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/mgmt.c"],"versions":[{"version":"4.9","status":"affected"},{"version":"0","lessThan":"4.9","status":"unaffected","versionType":"semver"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"5.10.259"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"5.15.210"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"6.1.176"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"6.6.143"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"6.12.94"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"6.18.36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"7.0.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/13ad995071a06570668dd8daab3616c247c72080"},{"url":"https://git.kernel.org/stable/c/06fcbd79c3c360a50f9be9d370769bbd738d0976"},{"url":"https://git.kernel.org/stable/c/f7093ac233c1e7f51d125534f46067772a113175"},{"url":"https://git.kernel.org/stable/c/74c08e4db35a476c3462aeb65846f955be732626"},{"url":"https://git.kernel.org/stable/c/18fea1cb0c2599752e908c8217490f73ddd33e00"},{"url":"https://git.kernel.org/stable/c/1a3c8ffbb469859b076445af44bdfa6a711d483e"},{"url":"https://git.kernel.org/stable/c/2a3f3ed9e198ae23c15859ace2f9ca6cfdc35b57"},{"url":"https://git.kernel.org/stable/c/de23fb62259aa01d294f77238ae3b835eb674413"}],"title":"Bluetooth: MGMT: validate advertising TLV before type checks","x_generator":{"engine":"bippy-1.2.0"}}}}