CVE-2026-31772
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync
hci_le_big_create_sync() uses DEFINE_FLEX to allocate a struct hci_cp_le_big_create_sync on the stack with room for 0x11 (17) BIS entries. However, conn->num_bis can hold up to HCI_MAX_ISO_BIS (31) entries — validated against ISO_MAX_NUM_BIS (0x1f) in the caller hci_conn_big_create_sync(). When conn->num_bis is between 18 and 31, the memcpy that copies conn->bis into cp->bis writes up to 14 bytes past the stack buffer, corrupting adjacent stack memory.
This is trivially reproducible: binding an ISO socket with bc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() will eventually trigger hci_le_big_create_sync() from the HCI command sync worker, causing a KASAN-detectable stack-out-of-bounds write:
BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0 Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71
Fix this by changing the DEFINE_FLEX count from the incorrect 0x11 to HCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that conn->bis can actually carry.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
83cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.11.11,<6.12
- cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- osv-coords75 versionspkg:rpm/almalinux/kernelpkg:rpm/almalinux/kernel-64kpkg:rpm/almalinux/kernel-64k-corepkg:rpm/almalinux/kernel-64k-debugpkg:rpm/almalinux/kernel-64k-debug-corepkg:rpm/almalinux/kernel-64k-debug-develpkg:rpm/almalinux/kernel-64k-debug-devel-matchedpkg:rpm/almalinux/kernel-64k-debug-modulespkg:rpm/almalinux/kernel-64k-debug-modules-corepkg:rpm/almalinux/kernel-64k-debug-modules-extrapkg:rpm/almalinux/kernel-64k-develpkg:rpm/almalinux/kernel-64k-devel-matchedpkg:rpm/almalinux/kernel-64k-modulespkg:rpm/almalinux/kernel-64k-modules-corepkg:rpm/almalinux/kernel-64k-modules-extrapkg:rpm/almalinux/kernel-abi-stablelistspkg:rpm/almalinux/kernel-corepkg:rpm/almalinux/kernel-cross-headerspkg:rpm/almalinux/kernel-debugpkg:rpm/almalinux/kernel-debug-corepkg:rpm/almalinux/kernel-debug-develpkg:rpm/almalinux/kernel-debug-devel-matchedpkg:rpm/almalinux/kernel-debug-modulespkg:rpm/almalinux/kernel-debug-modules-corepkg:rpm/almalinux/kernel-debug-modules-extrapkg:rpm/almalinux/kernel-debug-uki-virtpkg:rpm/almalinux/kernel-develpkg:rpm/almalinux/kernel-devel-matchedpkg:rpm/almalinux/kernel-docpkg:rpm/almalinux/kernel-headerspkg:rpm/almalinux/kernel-modulespkg:rpm/almalinux/kernel-modules-corepkg:rpm/almalinux/kernel-modules-extrapkg:rpm/almalinux/kernel-modules-extra-matchedpkg:rpm/almalinux/kernel-rtpkg:rpm/almalinux/kernel-rt-64kpkg:rpm/almalinux/kernel-rt-64k-corepkg:rpm/almalinux/kernel-rt-64k-debugpkg:rpm/almalinux/kernel-rt-64k-debug-corepkg:rpm/almalinux/kernel-rt-64k-debug-develpkg:rpm/almalinux/kernel-rt-64k-debug-modulespkg:rpm/almalinux/kernel-rt-64k-debug-modules-corepkg:rpm/almalinux/kernel-rt-64k-debug-modules-extrapkg:rpm/almalinux/kernel-rt-64k-develpkg:rpm/almalinux/kernel-rt-64k-modulespkg:rpm/almalinux/kernel-rt-64k-modules-corepkg:rpm/almalinux/kernel-rt-64k-modules-extrapkg:rpm/almalinux/kernel-rt-corepkg:rpm/almalinux/kernel-rt-debugpkg:rpm/almalinux/kernel-rt-debug-corepkg:rpm/almalinux/kernel-rt-debug-develpkg:rpm/almalinux/kernel-rt-debug-modulespkg:rpm/almalinux/kernel-rt-debug-modules-corepkg:rpm/almalinux/kernel-rt-debug-modules-extrapkg:rpm/almalinux/kernel-rt-develpkg:rpm/almalinux/kernel-rt-modulespkg:rpm/almalinux/kernel-rt-modules-corepkg:rpm/almalinux/kernel-rt-modules-extrapkg:rpm/almalinux/kernel-toolspkg:rpm/almalinux/kernel-tools-libspkg:rpm/almalinux/kernel-tools-libs-develpkg:rpm/almalinux/kernel-uki-virtpkg:rpm/almalinux/kernel-uki-virt-addonspkg:rpm/almalinux/kernel-zfcpdumppkg:rpm/almalinux/kernel-zfcpdump-corepkg:rpm/almalinux/kernel-zfcpdump-develpkg:rpm/almalinux/kernel-zfcpdump-devel-matchedpkg:rpm/almalinux/kernel-zfcpdump-modulespkg:rpm/almalinux/kernel-zfcpdump-modules-corepkg:rpm/almalinux/kernel-zfcpdump-modules-extrapkg:rpm/almalinux/libperfpkg:rpm/almalinux/perfpkg:rpm/almalinux/python3-perfpkg:rpm/almalinux/rtlapkg:rpm/almalinux/rv
< 6.12.0-211.26.1.el10_2+ 74 more
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.