The Linux kernel project has disclosed CVE-2026-46138, a serious security flaw in the Bluetooth subsystem that could allow an attacker within radio range to lock up a vulnerable system. Published on May 28, 2026, by the National Vulnerability Database (NVD) following an assignment from kernel.org, the bug affects the handling of Bluetooth LE Audio's Broadcast Isochronous Group feature and can trigger an out-of-bounds read potentially leading to an infinite loop. This in turn creates a denial-of-service condition, with a remote possibility of sensitive kernel memory being leaked.

What Is CVE-2026-46138?

CVE-2026-46138 is an out-of-bounds (OOB) read vulnerability in the hci_le_create_big function of the Linux kernel. This function is part of the Bluetooth Low Energy (LE) Audio stack, introduced in Bluetooth 5.2 and widely used for next-generation wireless audio. The flaw occurs when processing malformed LE Create BIG commands, where improper bounds checking can cause the kernel to read data from outside the intended buffer. An unauthenticated attacker who is within Bluetooth range can send specially crafted packets to trigger the bug.

The vulnerability has been assigned a CVE identifier, and while a CVSS severity score is still pending analysis, the nature of the bug suggests a high impact for availability. The primary consequence is an infinite loop in the Bluetooth host controller interface processing, which can hang or crash the kernel, leaving the device unresponsive until a hard reboot. Because the OOB read accesses memory adjacent to the buffer, there is also a theoretical risk of information disclosure, though researchers have not yet confirmed if it can be reliably exploited for data theft.

Technical Deep Dive: The hci_le_create_big Function

Bluetooth LE Audio relies on Isochronous Channels to deliver synchronized, low-latency audio streams. The hci_le_create_big command is sent from a host to a controller to create a Broadcast Isochronous Group (BIG). A BIG allows a single audio source to broadcast to multiple sinks—such as wireless earbuds, hearing aids, or public address systems. The command includes parameters like BIG Handle, Advertising Handle, Number of BIS (Broadcast Isochronous Streams), and an array of BIS-specific data.

The vulnerability arises when the kernel receives a hci_le_create_big event or command with inconsistent or oversized values in the BIS data array. The function fails to properly validate the length of this array before copying or reading its contents. As a result, an OOB read occurs, which can cause the kernel to enter an infinite loop if the corrupted data leads to a hang in the Bluetooth subsystem's state machine. This is similar to classic buffer under-read issues, but here, the read goes beyond the allocated memory region.

Understanding the Root Cause

To appreciate the bug, consider how the kernel handles HCI commands. The Bluetooth Host Controller Interface (HCI) is the bridge between the host (CPU) and the controller (firmware). The command hci_le_create_big is defined in the HCI specification and is normally around 31 bytes long. However, the length can vary due to the optional BIS array. The kernel's implementation likely uses a structure that expects a certain maximum size, but fails to re-verify the incoming packet length from the controller. When a shorter or longer packet is received, the read may overrun or underrun the buffer, reading adjacent kernel memory.

This adjacent memory could contain pointers, stack data, or other sensitive information. While a direct leak to an attacker is not trivial—because the OOB read is on the input path and may not be directly echoed back—advanced exploitation techniques like blind data extraction or timing analysis might eventually prove feasible. For now, the immediate and confirmed effect is a loop: the Bluetooth state machine gets stuck, consuming CPU cycles and blocking further Bluetooth operations, eventually leading to a kernel panic or a hard hang.

How the Attack Works

Exploitation requires that the attacker be within Bluetooth Classic or Low Energy range (typically up to 100 meters, but potentially longer with high-gain antennas). The attacker does not need to authenticate or pair with the target device; they only need to send low-level HCI commands. By broadcasting malicious LE Create BIG packets, any vulnerable Linux system with Bluetooth enabled and scanning for LE Audio devices can be affected.

In practical terms, an attacker could use a cheap Bluetooth dongle (such as a CSR8510-based adapter) and a script using raw HCI sockets or a modified BlueZ tool to send these packets, causing denial of service on nearby Linux laptops, single-board computers (like Raspberry Pi), Android devices running a Linux kernel, or IoT gadgets. The attack could be automated to perpetually crash devices as they reboot, effectively causing a permanent DoS until Bluetooth is disabled or a patch is applied.

No User Interaction Required

The most worrying aspect is the lack of required user interaction. Unlike many phishing or download-based attacks, this is a remote, zero-click vector. A device merely needs to have its Bluetooth radio powered on and in discoverable or scanning mode—which is the default on many desktops and mobile devices. Even if the device is not actively pairing, the underlying kernel is still listening for advertising events and HCI commands, making it susceptible.

This attack model is reminiscent of the BlueBorne vulnerabilities disclosed in 2017, which also allowed remote code execution and denial of service over Bluetooth without authentication. However, CVE-2026-46138 is more limited in scope—no code execution has been demonstrated—but it highlights that critical bugs still lurk in widely deployed protocol handlers.

Impact and Severity

While the immediate impact is system unavailability, the broader implications depend on the device's role. For a server or desktop, a sudden hang could lead to data loss or service interruption. For embedded Linux devices—which are ubiquitous in smart homes, medical equipment, and industrial control—a freeze could have safety-critical consequences. The CVE's classification as a denial-of-service vulnerability understates the potential risk in environments where uptime is essential.

Moreover, if the OOB read can be leveraged to leak stack or heap memory, it might form part of an exploit chain to bypass kernel address space layout randomization (KASLR) or other mitigations. At the time of writing, no proof-of-concept code has been publicly released, but history shows that such bugs often attract exploit development quickly. Security researchers at Google's Project Zero, for instance, have a track record of weaponizing seemingly innocuous OOB reads into full privilege escalation.

Severity Assessment

Though not yet officially scored, the CVE will likely receive a CVSSv3 base score around 6.5 to 7.5 (High), reflecting the network attack vector, low complexity, no privileges required, and high availability impact. The confidentiality impact is uncertain, so the base score could be lower if information disclosure is deemed impossible. The NVD will publish a detailed vector once analysis is complete.

Affected Systems and Risk for Windows Users

CVE-2026-46138 affects all versions of the Linux kernel that include Bluetooth LE Audio support with the vulnerable code. This encompasses kernels from 5.10 onward where the feature was introduced, though exact version ranges are being determined. Major distributions like Ubuntu, Debian, Fedora, and Arch are likely impacted. Android devices using a vulnerable kernel will also be at risk if the Bluetooth stack exposes the raw HCI commands (often through vendor-specific Bluetooth HAL implementations).

For Windows users, the direct risk is minimal because Windows uses its own Bluetooth stack. However, many Windows enthusiasts run Linux in dual-boot configurations, virtual machines, or through the Windows Subsystem for Linux (WSL). WSL2 does not expose Bluetooth hardware directly, so it is not a vector. But if the host machine has Bluetooth passthrough enabled for a Linux VM (e.g., via USB passthrough in Hyper-V or VMware), that VM could be vulnerable. Additionally, developers working with Linux-based IoT devices or single-board computers over Bluetooth could face disruptions.

The broader Windows ecosystem should still pay attention: Bluetooth vulnerabilities often span multiple operating systems because they exploit hardware-level protocol handling. While this specific issue is in the Linux kernel, similar flaws have appeared in other stacks. The discovery highlights the importance of rigorous input validation in all Bluetooth implementations.

What About WSL?

The Windows Subsystem for Linux does not provide direct hardware access; thus, WSL instances cannot directly utilize Bluetooth adapters. This effectively quarantines them from CVE-2026-46138. Virtual machines running under Hyper-V with Discrete Device Assignment (DDA) or USB passthrough could be vulnerable, but such configurations are uncommon for Bluetooth. In summary, Windows users are unlikely to be affected unless they are running Linux on bare metal or with explicit Bluetooth hardware sharing.

Bluetooth LE Audio: The Next Frontier and Its Risks

Bluetooth LE Audio, introduced with the Bluetooth 5.2 specification and refined in 5.3, represents a major evolution in wireless audio. It includes the Low Complexity Communications Codec (LC3) for better quality at lower bitrates, multi-stream audio, and Auracast broadcast audio. BIG is central to Auracast, enabling one-to-many audio sharing in public venues, classrooms, and assistive listening systems.

The new features bring increased protocol complexity, which can lead to security vulnerabilities. CVE-2026-46138 is a case in point: the new commands and data structures for BIG creation were not sufficiently hardened. As LE Audio adoption grows—in headphones, hearing aids, and smart speakers—the attack surface expands. Security researchers have long warned that Bluetooth, despite improvements, remains a rich target due to its large protocol stack and mandatory backward compatibility.

A History of Bluetooth Kernel Bugs

This is not the first time the Linux Bluetooth stack has had a critical OOB or endless loop bug. Past CVEs include:

  • CVE-2020-12351: A remote code execution flaw in the Bluetooth HCI event packet parser (BlueBorne-like).
  • CVE-2021-33034: A use-after-free in the Bluetooth subsystem leading to privilege escalation.
  • CVE-2022-3564: A heap-based buffer overflow in the Bluetooth L2CAP implementation.

Each time, the kernel community responded with patches, but the pattern indicates that the Bluetooth stack's code quality and testing need improvement. The advent of LE Audio adds fresh code that hasn't received the same level of scrutiny as older, more battle-tested Bluetooth Classic code.

Mitigation and Workarounds

As of publication, upstream kernel patches are being developed, and Linux distributions are expected to release updates in the coming days. In the meantime, users can mitigate the risk by disabling Bluetooth when not in use—especially in public or untrusted environments. On most Linux systems, this can be done by stopping the Bluetooth service (sudo systemctl stop bluetooth) or by unloading the Bluetooth kernel modules (modprobe -r btusb and related modules). For embedded devices where Bluetooth is essential, consider placing them in secure environments out of range of potential attackers.

For Windows users running Linux VMs with Bluetooth passthrough, disable the passthrough or shut down the VM when not needed. IoT device owners should check with their manufacturer for firmware updates and, if possible, disable Bluetooth discovery and connectability.

Temporary Fix for Developers

Kernel developers or advanced users can apply a temporary in-memory patch using kernel live patching tools (e.g., kpatch, livepatch) if available for their kernel version. However, live patching for this vulnerability would require intricate knowledge of the hci_le_create_big function and is not recommended for production without thorough testing.

Response from the Linux Kernel Community

The Linux kernel security team, in coordination with maintainers of the Bluetooth subsystem, have been alerted to the issue. As per standard practice, the bug was reported privately before public disclosure to allow time for patches. The CVE assignment by kernel.org indicates that a fix is imminent or already merged into the mainline kernel. Distributions that follow the stable kernel updates closely will likely push out patches quickly, particularly for long-term support (LTS) kernels.

System administrators should monitor their distribution's security announcements and apply kernel updates as soon as they become available. For custom or embedded Linux builds, developers will need to backport the patch or rebuild with the fix. Given the simplicity of the bug—an improper length check—the fix is expected to be a small change that adds proper validation before copying the BIS array.

Broader Implications for IoT and Mobile

This vulnerability underscores the systemic challenge of securing IoT devices that run Linux. Many smart home devices, medical wearables, and industrial sensors use Linux-based firmwares with Bluetooth connectivity. These devices often receive infrequent updates, leaving them exposed for months or years. CVE-2026-46138 could become a vector for targeted attacks on critical infrastructure or personal devices.

Android, which relies on the Linux kernel, may also be affected if it includes the vulnerable code in its Bluetooth stack. However, Android's Bluetooth implementation often uses a separate HAL and may not directly expose the Linux kernel's HCI functions for LE Audio BIG creation. Google's security team typically audits such issues and rolls out monthly patches if needed. Still, device manufacturers notoriously lag in deploying Android security updates, putting millions of phones at prolonged risk.

What Users Should Do Right Now

  1. Check Your Exposure: Determine if you run any Linux systems with Bluetooth enabled. Use commands like lsmod | grep bluetooth to see loaded modules.
  2. Disable Bluetooth Until Patched: If you don't need Bluetooth, turn it off. For critical systems, consider disabling the hardware at the BIOS or using physical switches if available.
  3. Monitor for Updates: Subscribe to your Linux distribution's security mailing list or feed. Look for kernel updates addressing CVE-2026-46138.
  4. Apply Workarounds in Code: For developers who cannot disable Bluetooth, review the code and if possible, add a temporary filter in the Bluetooth stack to reject malformed BIG commands, though this requires kernel recompilation.
  5. Stay Informed: Follow the NVD entry and the kernel security mailing list for technical details and proof-of-concept releases.

Looking Ahead: The Future of Bluetooth Security

CVE-2026-46138 is a reminder that as wireless protocols become more complex, the potential for kernel-level vulnerabilities grows. The Bluetooth Special Interest Group (SIG) continues to innovate, but the onus is on implementors—especially in open-source kernels—to maintain robust security practices. Fuzz testing and formal verification of protocol handling code could prevent such issues.

For Windows users and enthusiasts, this event may encourage a closer look at the Bluetooth stack in both Windows and Linux. While Windows remains unaffected in this instance, the broader lesson is clear: no operating system is immune to low-level protocol bugs. As always, keeping software up to date and practicing defense in depth remain the best defenses against emerging threats.