CVE-2026-46186
Bluetooth: virtio_bt: validate rx pkt_type header length
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: virtio_bt: validate rx pkt_type header length virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type. After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core. After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path. Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.
INFO
Published Date :
May 28, 2026, 10:16 a.m.
Last Modified :
June 11, 2026, 3:06 a.m.
Remotely Exploit :
No
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | [email protected] |
Solution
- Ensure RX skb length covers minimum HCI header size.
- Drop packets if header length is insufficient.
- Limit error messages from untrusted input.
- Apply the provided kernel patch.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-46186.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-46186 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-46186
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-46186 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-46186 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jun. 11, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Added CWE CWE-908 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.1:rc8:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.1:-:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.0.8 up to (excluding) 6.1 *cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13 up to (excluding) 6.18.30 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.19 up to (excluding) 7.0.7 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.12.88 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.140 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.15.78 up to (excluding) 5.15.209 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.1.1 up to (excluding) 6.1.175 Added Reference Type kernel.org: https://git.kernel.org/stable/c/149cfb42ad69c7964fd9f2c43831da9152007129 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/1e1e509b6fd2a42421745bbcd98bd16daad20904 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/2c1143564c71e7497b42d8360a8379ccbb011d3c Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/3485c7236c59c8c34a41af1c4b52982437554e79 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/7b2d4c04816cdc887f472caaf7fc966cfc107e40 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/daf23014e5d975e72ea9c02b5160d3fcf070ea47 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/f743eab6486965f276c7e3f1700895f014fdc6db Types: Patch -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Jun. 01, 2026
Action Type Old Value New Value Added Reference https://git.kernel.org/stable/c/149cfb42ad69c7964fd9f2c43831da9152007129 Added Reference https://git.kernel.org/stable/c/7b2d4c04816cdc887f472caaf7fc966cfc107e40 -
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 28, 2026
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: virtio_bt: validate rx pkt_type header length virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type. After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core. After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path. Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log. Added Reference https://git.kernel.org/stable/c/1e1e509b6fd2a42421745bbcd98bd16daad20904 Added Reference https://git.kernel.org/stable/c/2c1143564c71e7497b42d8360a8379ccbb011d3c Added Reference https://git.kernel.org/stable/c/3485c7236c59c8c34a41af1c4b52982437554e79 Added Reference https://git.kernel.org/stable/c/daf23014e5d975e72ea9c02b5160d3fcf070ea47 Added Reference https://git.kernel.org/stable/c/f743eab6486965f276c7e3f1700895f014fdc6db