CVE-2026-31772

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync<br /> <br /> hci_le_big_create_sync() uses DEFINE_FLEX to allocate a<br /> struct hci_cp_le_big_create_sync on the stack with room for 0x11 (17)<br /> BIS entries. However, conn-&gt;num_bis can hold up to HCI_MAX_ISO_BIS (31)<br /> entries — validated against ISO_MAX_NUM_BIS (0x1f) in the caller<br /> hci_conn_big_create_sync(). When conn-&gt;num_bis is between 18 and 31,<br /> the memcpy that copies conn-&gt;bis into cp-&gt;bis writes up to 14 bytes<br /> past the stack buffer, corrupting adjacent stack memory.<br /> <br /> This is trivially reproducible: binding an ISO socket with<br /> bc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() will<br /> eventually trigger hci_le_big_create_sync() from the HCI command<br /> sync worker, causing a KASAN-detectable stack-out-of-bounds write:<br /> <br /> BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0<br /> Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71<br /> <br /> Fix this by changing the DEFINE_FLEX count from the incorrect 0x11 to<br /> HCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that<br /> conn-&gt;bis can actually carry.