In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hcievent: Fix OOB read and infinite loop in hcilecreatebigcompleteevt
hcilecreatebigcompleteevt() iterates over BTBOUND connections for a BIG handle using a while loop, accessing ev->bishandle[i++] on each iteration. However, there is no check that i stays within ev->numbis before the array access.
When a controller sends a LECreateBIGComplete event with fewer bishandle entries than there are BTBOUND connections for that BIG, or with numbis=0, the loop reads beyond the valid bishandle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCICONNHANDLEMAX (0x0EFF), hciconnsethandle() rejects them and the connection remains in BTBOUND state. The same connection is then found again by hciconnhashlookupbigstate(), creating an infinite loop with hcidev_lock held.
Fix this by terminating the BIG if in case not all BIS could be setup properly.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46138.json",
"cna_assigner": "Linux"
}