VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46138

CVE-2026-46138

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access.

When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.

Fix this by terminating the BIG if in case not all BIS could be setup properly.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An OOB read and infinite loop in the Linux kernel's Bluetooth HCI event handler can cause a denial of service when processing malformed LE_Create_BIG_Complete events.

Vulnerability

The vulnerability resides in the Linux kernel's Bluetooth subsystem, specifically in the hci_le_create_big_complete_evt() function within net/bluetooth/hci_event.c. When processing a LE_Create_BIG_Complete event, the function iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. This allows an OOB read when the controller sends an event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, causing the loop to read beyond the valid bis_handle[] flex array into adjacent heap memory. Affected versions include the Linux kernel before the stable commit [6cb7f67bc28d] [1].

Exploitation

An attacker requires physical proximity to the target system and the ability to send a crafted Bluetooth LE Create BIG Complete event from a controller. No authentication is needed beyond Bluetooth pairing state; the attacker must be in range to transmit Baseband packets. The sequence involves sending a LE_Create_BIG_Complete event with a num_bis field set to a value less than the number of BT_BOUND connections currently associated with the BIG handle. This triggers the vulnerable loop to read out-of-bounds heap data. Since the OOB values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them, leaving the connection in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), causing an infinite loop with hci_dev_lock held.

Impact

Successful exploitation results in an infinite loop that holds the hci_dev_lock, causing a soft lockup and denial of service (DoS) of the Bluetooth subsystem on the target system. The affected kernel thread becomes unresponsive, potentially disrupting all Bluetooth functionality and requiring a system reboot to recover. No information disclosure or privilege escalation is achieved from this vulnerability alone.

Mitigation

The fix is included in Linux kernel stable commit [6cb7f67bc28d] [1] and subsequent releases. Affected systems should update to a kernel version containing this commit. The commit terminates the BIG setup if not all BIS could be configured correctly. There is no known workaround other than applying the patch. The vulnerability is not listed on the CISA KEV as of publication.

References
  1. Making sure you're not a bot!

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

10
6cb7f67bc28d

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitLuiz Augusto von DentzApr 10, 2026Fixed in 6.6.140via kernel-cna
commit
1 file changed · +25 3
  • net/bluetooth/hci_event.c+25 3 modified
    diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index dcf23d9f1ef6cf..f6285c4325d634 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -6874,9 +6874,29 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 			continue;
 		}
 
+		if (ev->num_bis <= i) {
+			bt_dev_err(hdev,
+				   "Not enough BIS handles for BIG 0x%2.2x",
+				   ev->handle);
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
+			continue;
+		}
+
 		if (hci_conn_set_handle(conn,
-					__le16_to_cpu(ev->bis_handle[i++])))
+					__le16_to_cpu(ev->bis_handle[i++]))) {
+			bt_dev_err(hdev,
+				   "Failed to set BIS handle for BIG 0x%2.2x",
+				   ev->handle);
+			/* Force error so BIG gets terminated as not all BIS
+			 * could be connected.
+			 */
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
 			continue;
+		}
 
 		conn->state = BT_CONNECTED;
 		set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
@@ -6885,7 +6905,10 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 		hci_iso_setup_path(conn);
 	}
 
-	if (!ev->status && !i)
+	/* If there is an unexpected error or if no BISes have been connected
+	 * for the BIG, terminate it.
+	 */
+	if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
 		/* If no BISes have been connected for the BIG,
 		 * terminate. This is in case all bound connections
 		 * have been closed before the BIG creation
-- 
cgit 1.3-korg
77981a507aa0

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitLuiz Augusto von DentzApr 10, 2026Fixed in 6.18.30via kernel-cna
commit
1 file changed · +25 3
  • net/bluetooth/hci_event.c+25 3 modified
    diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index c66443f4cf5a7a..6f77ab2629d65f 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -6973,9 +6973,29 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 			continue;
 		}
 
+		if (ev->num_bis <= i) {
+			bt_dev_err(hdev,
+				   "Not enough BIS handles for BIG 0x%2.2x",
+				   ev->handle);
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
+			continue;
+		}
+
 		if (hci_conn_set_handle(conn,
-					__le16_to_cpu(ev->bis_handle[i++])))
+					__le16_to_cpu(ev->bis_handle[i++]))) {
+			bt_dev_err(hdev,
+				   "Failed to set BIS handle for BIG 0x%2.2x",
+				   ev->handle);
+			/* Force error so BIG gets terminated as not all BIS
+			 * could be connected.
+			 */
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
 			continue;
+		}
 
 		conn->state = BT_CONNECTED;
 		set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
@@ -6984,7 +7004,10 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 		hci_iso_setup_path(conn);
 	}
 
-	if (!ev->status && !i)
+	/* If there is an unexpected error or if no BISes have been connected
+	 * for the BIG, terminate it.
+	 */
+	if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
 		/* If no BISes have been connected for the BIG,
 		 * terminate. This is in case all bound connections
 		 * have been closed before the BIG creation
-- 
cgit 1.3-korg
22559ad7654f

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitLuiz Augusto von DentzApr 10, 2026Fixed in 6.12.88via kernel-cna
commit
1 file changed · +25 3
  • net/bluetooth/hci_event.c+25 3 modified
    diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 7246a26723d0fd..8a14c00ad7278d 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -6935,9 +6935,29 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 			continue;
 		}
 
+		if (ev->num_bis <= i) {
+			bt_dev_err(hdev,
+				   "Not enough BIS handles for BIG 0x%2.2x",
+				   ev->handle);
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
+			continue;
+		}
+
 		if (hci_conn_set_handle(conn,
-					__le16_to_cpu(ev->bis_handle[i++])))
+					__le16_to_cpu(ev->bis_handle[i++]))) {
+			bt_dev_err(hdev,
+				   "Failed to set BIS handle for BIG 0x%2.2x",
+				   ev->handle);
+			/* Force error so BIG gets terminated as not all BIS
+			 * could be connected.
+			 */
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
 			continue;
+		}
 
 		conn->state = BT_CONNECTED;
 		set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
@@ -6946,7 +6966,10 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 		hci_iso_setup_path(conn);
 	}
 
-	if (!ev->status && !i)
+	/* If there is an unexpected error or if no BISes have been connected
+	 * for the BIG, terminate it.
+	 */
+	if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
 		/* If no BISes have been connected for the BIG,
 		 * terminate. This is in case all bound connections
 		 * have been closed before the BIG creation
-- 
cgit 1.3-korg
665da0baaf03

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitLuiz Augusto von DentzApr 10, 2026Fixed in 7.0.7via kernel-cna
commit
1 file changed · +25 3
  • net/bluetooth/hci_event.c+25 3 modified
    diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 6500f7a327f608..0df1c0cbc8f78a 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -7121,9 +7121,29 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 			continue;
 		}
 
+		if (ev->num_bis <= i) {
+			bt_dev_err(hdev,
+				   "Not enough BIS handles for BIG 0x%2.2x",
+				   ev->handle);
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
+			continue;
+		}
+
 		if (hci_conn_set_handle(conn,
-					__le16_to_cpu(ev->bis_handle[i++])))
+					__le16_to_cpu(ev->bis_handle[i++]))) {
+			bt_dev_err(hdev,
+				   "Failed to set BIS handle for BIG 0x%2.2x",
+				   ev->handle);
+			/* Force error so BIG gets terminated as not all BIS
+			 * could be connected.
+			 */
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
 			continue;
+		}
 
 		conn->state = BT_CONNECTED;
 		set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
@@ -7132,7 +7152,10 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 		hci_iso_setup_path(conn);
 	}
 
-	if (!ev->status && !i)
+	/* If there is an unexpected error or if no BISes have been connected
+	 * for the BIG, terminate it.
+	 */
+	if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
 		/* If no BISes have been connected for the BIG,
 		 * terminate. This is in case all bound connections
 		 * have been closed before the BIG creation
-- 
cgit 1.3-korg
5ddb80142611

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitLuiz Augusto von DentzApr 10, 2026Fixed in 7.1-rc3via kernel-cna
commit
1 file changed · +25 3
  • net/bluetooth/hci_event.c+25 3 modified
    diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index b2ee6b6a0f5650..1b3b9131affaa3 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -7118,9 +7118,29 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 			continue;
 		}
 
+		if (ev->num_bis <= i) {
+			bt_dev_err(hdev,
+				   "Not enough BIS handles for BIG 0x%2.2x",
+				   ev->handle);
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
+			continue;
+		}
+
 		if (hci_conn_set_handle(conn,
-					__le16_to_cpu(ev->bis_handle[i++])))
+					__le16_to_cpu(ev->bis_handle[i++]))) {
+			bt_dev_err(hdev,
+				   "Failed to set BIS handle for BIG 0x%2.2x",
+				   ev->handle);
+			/* Force error so BIG gets terminated as not all BIS
+			 * could be connected.
+			 */
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
 			continue;
+		}
 
 		conn->state = BT_CONNECTED;
 		set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
@@ -7129,7 +7149,10 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 		hci_iso_setup_path(conn);
 	}
 
-	if (!ev->status && !i)
+	/* If there is an unexpected error or if no BISes have been connected
+	 * for the BIG, terminate it.
+	 */
+	if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
 		/* If no BISes have been connected for the BIG,
 		 * terminate. This is in case all bound connections
 		 * have been closed before the BIG creation
-- 
cgit 1.3-korg
665da0baaf03

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitLuiz Augusto von DentzApr 10, 2026via nvd-ref
commit
1 file changed · +25 3
  • net/bluetooth/hci_event.c+25 3 modified
    diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 6500f7a327f608..0df1c0cbc8f78a 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -7121,9 +7121,29 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 			continue;
 		}
 
+		if (ev->num_bis <= i) {
+			bt_dev_err(hdev,
+				   "Not enough BIS handles for BIG 0x%2.2x",
+				   ev->handle);
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
+			continue;
+		}
+
 		if (hci_conn_set_handle(conn,
-					__le16_to_cpu(ev->bis_handle[i++])))
+					__le16_to_cpu(ev->bis_handle[i++]))) {
+			bt_dev_err(hdev,
+				   "Failed to set BIS handle for BIG 0x%2.2x",
+				   ev->handle);
+			/* Force error so BIG gets terminated as not all BIS
+			 * could be connected.
+			 */
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
 			continue;
+		}
 
 		conn->state = BT_CONNECTED;
 		set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
@@ -7132,7 +7152,10 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 		hci_iso_setup_path(conn);
 	}
 
-	if (!ev->status && !i)
+	/* If there is an unexpected error or if no BISes have been connected
+	 * for the BIG, terminate it.
+	 */
+	if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
 		/* If no BISes have been connected for the BIG,
 		 * terminate. This is in case all bound connections
 		 * have been closed before the BIG creation
-- 
cgit 1.3-korg
6cb7f67bc28d

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitLuiz Augusto von DentzApr 10, 2026via nvd-ref
commit
1 file changed · +25 3
  • net/bluetooth/hci_event.c+25 3 modified
    diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index dcf23d9f1ef6cf..f6285c4325d634 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -6874,9 +6874,29 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 			continue;
 		}
 
+		if (ev->num_bis <= i) {
+			bt_dev_err(hdev,
+				   "Not enough BIS handles for BIG 0x%2.2x",
+				   ev->handle);
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
+			continue;
+		}
+
 		if (hci_conn_set_handle(conn,
-					__le16_to_cpu(ev->bis_handle[i++])))
+					__le16_to_cpu(ev->bis_handle[i++]))) {
+			bt_dev_err(hdev,
+				   "Failed to set BIS handle for BIG 0x%2.2x",
+				   ev->handle);
+			/* Force error so BIG gets terminated as not all BIS
+			 * could be connected.
+			 */
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
 			continue;
+		}
 
 		conn->state = BT_CONNECTED;
 		set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
@@ -6885,7 +6905,10 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 		hci_iso_setup_path(conn);
 	}
 
-	if (!ev->status && !i)
+	/* If there is an unexpected error or if no BISes have been connected
+	 * for the BIG, terminate it.
+	 */
+	if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
 		/* If no BISes have been connected for the BIG,
 		 * terminate. This is in case all bound connections
 		 * have been closed before the BIG creation
-- 
cgit 1.3-korg
77981a507aa0

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitLuiz Augusto von DentzApr 10, 2026via nvd-ref
commit
1 file changed · +25 3
  • net/bluetooth/hci_event.c+25 3 modified
    diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index c66443f4cf5a7a..6f77ab2629d65f 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -6973,9 +6973,29 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 			continue;
 		}
 
+		if (ev->num_bis <= i) {
+			bt_dev_err(hdev,
+				   "Not enough BIS handles for BIG 0x%2.2x",
+				   ev->handle);
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
+			continue;
+		}
+
 		if (hci_conn_set_handle(conn,
-					__le16_to_cpu(ev->bis_handle[i++])))
+					__le16_to_cpu(ev->bis_handle[i++]))) {
+			bt_dev_err(hdev,
+				   "Failed to set BIS handle for BIG 0x%2.2x",
+				   ev->handle);
+			/* Force error so BIG gets terminated as not all BIS
+			 * could be connected.
+			 */
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
 			continue;
+		}
 
 		conn->state = BT_CONNECTED;
 		set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
@@ -6984,7 +7004,10 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 		hci_iso_setup_path(conn);
 	}
 
-	if (!ev->status && !i)
+	/* If there is an unexpected error or if no BISes have been connected
+	 * for the BIG, terminate it.
+	 */
+	if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
 		/* If no BISes have been connected for the BIG,
 		 * terminate. This is in case all bound connections
 		 * have been closed before the BIG creation
-- 
cgit 1.3-korg
22559ad7654f

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitLuiz Augusto von DentzApr 10, 2026via nvd-ref
commit
1 file changed · +25 3
  • net/bluetooth/hci_event.c+25 3 modified
    diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 7246a26723d0fd..8a14c00ad7278d 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -6935,9 +6935,29 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 			continue;
 		}
 
+		if (ev->num_bis <= i) {
+			bt_dev_err(hdev,
+				   "Not enough BIS handles for BIG 0x%2.2x",
+				   ev->handle);
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
+			continue;
+		}
+
 		if (hci_conn_set_handle(conn,
-					__le16_to_cpu(ev->bis_handle[i++])))
+					__le16_to_cpu(ev->bis_handle[i++]))) {
+			bt_dev_err(hdev,
+				   "Failed to set BIS handle for BIG 0x%2.2x",
+				   ev->handle);
+			/* Force error so BIG gets terminated as not all BIS
+			 * could be connected.
+			 */
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
 			continue;
+		}
 
 		conn->state = BT_CONNECTED;
 		set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
@@ -6946,7 +6966,10 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 		hci_iso_setup_path(conn);
 	}
 
-	if (!ev->status && !i)
+	/* If there is an unexpected error or if no BISes have been connected
+	 * for the BIG, terminate it.
+	 */
+	if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
 		/* If no BISes have been connected for the BIG,
 		 * terminate. This is in case all bound connections
 		 * have been closed before the BIG creation
-- 
cgit 1.3-korg
5ddb80142611

Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitLuiz Augusto von DentzApr 10, 2026via nvd-ref
commit
1 file changed · +25 3
  • net/bluetooth/hci_event.c+25 3 modified
    diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index b2ee6b6a0f5650..1b3b9131affaa3 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -7118,9 +7118,29 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 			continue;
 		}
 
+		if (ev->num_bis <= i) {
+			bt_dev_err(hdev,
+				   "Not enough BIS handles for BIG 0x%2.2x",
+				   ev->handle);
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
+			continue;
+		}
+
 		if (hci_conn_set_handle(conn,
-					__le16_to_cpu(ev->bis_handle[i++])))
+					__le16_to_cpu(ev->bis_handle[i++]))) {
+			bt_dev_err(hdev,
+				   "Failed to set BIS handle for BIG 0x%2.2x",
+				   ev->handle);
+			/* Force error so BIG gets terminated as not all BIS
+			 * could be connected.
+			 */
+			ev->status = HCI_ERROR_UNSPECIFIED;
+			hci_connect_cfm(conn, ev->status);
+			hci_conn_del(conn);
 			continue;
+		}
 
 		conn->state = BT_CONNECTED;
 		set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
@@ -7129,7 +7149,10 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 		hci_iso_setup_path(conn);
 	}
 
-	if (!ev->status && !i)
+	/* If there is an unexpected error or if no BISes have been connected
+	 * for the BIG, terminate it.
+	 */
+	if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
 		/* If no BISes have been connected for the BIG,
 		 * terminate. This is in case all bound connections
 		 * have been closed before the BIG creation
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing bounds check on `i` against `ev->num_bis` before accessing `ev->bis_handle[i]` in `hci_le_create_big_complete_evt` allows OOB read and infinite loop."

Attack vector

An attacker with a malicious Bluetooth controller sends a crafted LE_Create_BIG_Complete HCI event where the number of BIS handles (`num_bis`) is less than the number of BT_BOUND connections for that BIG, or `num_bis` is zero. The loop in `hci_le_create_big_complete_evt` reads beyond the `bis_handle[]` flex array into adjacent heap memory (OOB read). The out-of-bounds values typically exceed `HCI_CONN_HANDLE_MAX` (0x0EFF), so `hci_conn_set_handle()` rejects them, leaving the connection in BT_BOUND state. The same connection is then found again by `hci_conn_hash_lookup_big_state()`, creating an infinite loop while holding `hci_dev_lock`, causing a denial of service [patch_id=2898375].

Affected code

The vulnerable function is `hci_le_create_big_complete_evt` in `net/bluetooth/hci_event.c`. The loop iterates over BT_BOUND connections for a BIG handle and accesses `ev->bis_handle[i++]` without checking that `i` stays within `ev->num_bis` [patch_id=2898375].

What the fix does

The patch adds a bounds check `if (ev->num_bis <= i)` before accessing `ev->bis_handle[i]`, preventing the OOB read [patch_id=2898375]. When the check fails or when `hci_conn_set_handle` fails, the patch sets `ev->status = HCI_ERROR_UNSPECIFIED`, calls `hci_connect_cfm` and `hci_conn_del` to remove the connection, and continues the loop. The termination condition at the end of the loop is also changed from `!ev->status && !i` to `ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i)`, ensuring the BIG is terminated when an error was forced. This breaks the infinite loop by removing the problematic connections from the hash table.

Preconditions

  • networkAttacker must control or impersonate a Bluetooth controller that can send a crafted LE_Create_BIG_Complete HCI event.
  • configThe target system must have Bluetooth enabled and have BT_BOUND connections for a BIG handle.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.