CVE-2026-46138

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt<br /> <br /> hci_le_create_big_complete_evt() iterates over BT_BOUND connections for<br /> a BIG handle using a while loop, accessing ev-&gt;bis_handle[i++] on each<br /> iteration. However, there is no check that i stays within ev-&gt;num_bis<br /> before the array access.<br /> <br /> When a controller sends a LE_Create_BIG_Complete event with fewer<br /> bis_handle entries than there are BT_BOUND connections for that BIG,<br /> or with num_bis=0, the loop reads beyond the valid bis_handle[] flex<br /> array into adjacent heap memory. Since the out-of-bounds values<br /> typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()<br /> rejects them and the connection remains in BT_BOUND state. The same<br /> connection is then found again by hci_conn_hash_lookup_big_state(),<br /> creating an infinite loop with hci_dev_lock held.<br /> <br /> Fix this by terminating the BIG if in case not all BIS could be setup<br /> properly.