Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53255

CVE-2026-53255: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-53255 is a buffer overflow flaw in Linux kernel's Bluetooth MGMT component that allows out-of-bounds memory reads. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-53255 Overview

CVE-2026-53255 is an out-of-bounds read vulnerability in the Linux kernel Bluetooth Management (MGMT) subsystem. The flaw resides in tlv_data_is_valid(), which parses advertising Type-Length-Value (TLV) data submitted through MGMT_OP_ADD_ADVERTISING requests. The function reads the length byte from data[i] and then inspects the type byte at data[i + 1] before verifying that the field actually fits inside the supplied buffer. A malformed element whose length byte is the last byte of the buffer causes the parser to read one byte beyond the advertising data. Kernel Address Sanitizer (KASAN) confirmed the issue as a vmalloc-out-of-bounds read [CWE-125].

Critical Impact

A local user able to issue Bluetooth MGMT commands can trigger a one-byte out-of-bounds read in kernel memory, enabling kernel information disclosure or denial-of-service conditions.

Affected Products

  • Linux kernel Bluetooth subsystem (net/bluetooth/mgmt.c)
  • Stable kernel branches receiving the fix via the referenced commits
  • Distributions shipping affected upstream kernel versions

Discovery Timeline

  • 2026-06-25 - CVE-2026-53255 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53255

Vulnerability Analysis

The Linux kernel Bluetooth MGMT interface accepts advertising data formatted as Extended Inquiry Response (EIR) TLV elements. Each element begins with a length byte followed by a type byte and the element payload. The function tlv_data_is_valid() validates this data before the kernel hands it to the controller through add_advertising().

The parser performs operations in the wrong order. It reads data[i] to obtain the field length, then immediately inspects data[i + 1] to determine whether the type matches a managed EIR identifier. Only after these dereferences does the function verify that the current element still fits inside the buffer. When a crafted element places its length byte at the final position of the buffer, the read of data[i + 1] crosses the allocation boundary.

KASAN reported the bug with the following call trace: tlv_data_is_valid()add_advertising()hci_mgmt_cmd()hci_sock_sendmsg(). The read is bounded to a single byte, which limits direct impact but still violates kernel memory safety guarantees.

Root Cause

The root cause is an ordering error in input validation. The bounds check that proves the element fits within the supplied buffer was placed after the type-octet inspection rather than before it. The fix reorders the checks so each non-empty element is proven to contain its type byte before the parser reads data[i + 1].

Attack Vector

Exploitation requires the ability to send MGMT_OP_ADD_ADVERTISING commands over an AF_BLUETOOTH HCI socket. This typically requires CAP_NET_ADMIN or membership in a privileged group, depending on distribution policy. An attacker submits a malformed advertising payload whose final byte is interpreted as a length field, triggering the one-byte out-of-bounds read in vmalloc-backed memory.

The vulnerability is described in prose only, since no public proof-of-concept code has been released. Technical details are available in the upstream kernel commits referenced in the Linux kernel stable tree.

Detection Methods for CVE-2026-53255

Indicators of Compromise

  • KASAN reports in dmesg containing BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid
  • Kernel call traces referencing add_advertising, hci_mgmt_cmd, and hci_sock_sendmsg together with sanitizer warnings
  • Unexpected Bluetooth subsystem crashes or oopses on systems exposing HCI sockets to non-root users

Detection Strategies

  • Audit kernel logs for KASAN, KMSAN, or generic kernel oops entries naming tlv_data_is_valid or the Bluetooth MGMT path
  • Inventory hosts running affected kernel versions and verify whether the fix commits listed in the references are applied
  • Use process telemetry to identify unprivileged processes opening AF_BLUETOOTH raw or HCI sockets and issuing MGMT commands

Monitoring Recommendations

  • Forward kernel ring buffer messages to a centralized log platform and alert on sanitizer signatures and Bluetooth subsystem panics
  • Monitor for unusual setsockopt and sendmsg activity on AF_BLUETOOTH sockets originating from user sessions or containers
  • Track patch state of the kernel package across the fleet to detect hosts that remain on vulnerable builds

How to Mitigate CVE-2026-53255

Immediate Actions Required

  • Apply the upstream Linux kernel patches that reorder the element-length check before type inspection in tlv_data_is_valid()
  • Update to a distribution kernel that incorporates the referenced stable-tree commits and reboot affected systems
  • Restrict access to Bluetooth MGMT sockets to trusted administrative users only

Patch Information

The fix is distributed across multiple stable branches. Relevant commits include 06fcbd79, 13ad9950, 18fea1cb, 1a3c8ffb, 2a3f3ed9, 74c08e4d, de23fb62, and f7093ac2. See the Linux kernel stable commit 2a3f3ed9 and the companion commit f7093ac2 for the canonical fix. Consult your distribution's security tracker to confirm the package version that includes these patches.

Workarounds

  • Disable the Bluetooth subsystem on systems that do not require it by blacklisting the bluetooth and related HCI driver modules
  • Stop and disable the bluetoothd service via systemctl disable --now bluetooth.service where Bluetooth is not needed
  • Constrain CAP_NET_ADMIN and Bluetooth group membership so untrusted users cannot reach the MGMT interface
bash
# Disable Bluetooth subsystem until patched kernel is deployed
sudo systemctl disable --now bluetooth.service
echo 'blacklist bluetooth' | sudo tee /etc/modprobe.d/disable-bluetooth.conf
echo 'blacklist btusb' | sudo tee -a /etc/modprobe.d/disable-bluetooth.conf
sudo update-initramfs -u

# Verify kernel version contains the fix
uname -r
sudo dmesg | grep -i 'tlv_data_is_valid'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.