CVE-2026-46138

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An out-of-bounds read and infinite loop exist in the hci le create big complete evt() function. The function iterates over BT BOUND connections for a BIG handle using a while loop that accesses the ev->bis handle[i++] array without verifying if i remains within the ev->num bis limit. If a controller sends an LE Create BIG Complete event where num bis is 0 or contains fewer entries than there are BT BOUND connections, the system reads adjacent heap memory. Because these out-of-bounds values usually exceed HCI CONN HANDLE MAX, the hci conn set handle() function rejects them, leaving the connection in a BT BOUND state. This causes the connection to be repeatedly found by hci conn hash lookup big state(), resulting in an infinite loop while the hci dev lock is held.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.