1050299 matches found
CVE-2026-9263
The Zephyr Bluetooth controller ISO Adaptation Layer subsys/bluetooth/controller/llsw/isoal.c fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment sc=0 always carries a 3-byte timeoffset, so its segment-header len must be at least...
CVE-2026-9263
The CVE-2026-9263 issue affects Zephyr’s ISO Adaptation Layer (ISOAL) in the Bluetooth controller. The root cause is that framed ISO PDU start segments (sc=0) with len len - 3 to underflow when len is 0–2. This produced an oversized length (up to 253–255) that was passed to isoal_rx_append_to_sdu...
CVE-2026-13523
A weakness has been identified in GPAC up to 26.02.0. This affects an unknown part of the file src/utils/baseencoding.c of the component ISOBMFF Parser. Executing a manipulation can lead to highly compressed data. The attack needs to be launched locally. The exploit has been made available to the...
SUSE CVE-2026-53251
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix not releasing hdev reference on isoconnbigsync hcigetroute returns a reference-counted hcidev pointer via hcidevhold. The function exits normally or with an error without ever releasing it...
SUSE CVE-2026-53276
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hciconn pointer In isosockrebindbc, the bis pointer is cached, then the socket lock is dropped: bis = isopisk-conn-hcon; / Release the socket before lookups since that requires hcidevlo...
CVE-2026-53276
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hciconn pointer In isosockrebindbc, the bis pointer is cached, then the socket lock is dropped: bis = isopisk-conn-hcon; / Release the socket before lookups since that requires hcidevlo...
CVE-2026-53251
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix not releasing hdev reference on isoconnbigsync hcigetroute returns a reference-counted hcidev pointer via hcidevhold. The function exits normally or with an error without ever releasing it...
UBUNTU-CVE-2026-53276
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hciconn pointer In isosockrebindbc, the bis pointer is cached, then the socket lock is dropped: bis = isopisk-conn-hcon; / Release the socket before lookups since that requires hcidevlo...
UBUNTU-CVE-2026-53251
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix not releasing hdev reference on isoconnbigsync hcigetroute returns a reference-counted hcidev pointer via hcidevhold. The function exits normally or with an error without ever releasing it...
CVE-2026-53276
The CVE-2026-53276 entry concerns the Linux kernel Bluetooth ISO stack. A use-after-free occurs in iso_sock_rebind_bc where the bis pointer is cached and the socket lock is released before traversals, allowing a concurrent close() to free the hci_conn and its bis structure. The code then accesses...
EUVD-2026-39227
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hciconn pointer In isosockrebindbc, the bis pointer is cached, then the socket lock is dropped: bis = isopisk-conn-hcon; / Release the socket before lookups since that requires hcidevlo...
CVE-2026-53276
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hciconn pointer In isosockrebindbc, the bis pointer is cached, then the socket lock is dropped: bis = isopisk-conn-hcon; / Release the socket before lookups since that requires hcidevlo...
CVE-2026-53251
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix not releasing hdev reference on isoconnbigsync hcigetroute returns a reference-counted hcidev pointer via hcidevhold. The function exits normally or with an error without ever releasing it...
CVE-2026-53251
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix not releasing hdev reference on isoconnbigsync hcigetroute returns a reference-counted hcidev pointer via hcidevhold. The function exits normally or with an error without ever releasing it...
CVE-2026-53251
CVE-2026-53251: Linux kernel Bluetooth ISO path vulnerability where hci_get_route() leaks a reference-counted hci_dev pointer (via hci_dev_hold()) on exit, without releasing it. Documented as a resource leak that can contribute to a Denial of Service. Several advisories indicate patches exist (e....
EUVD-2026-39202
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix not releasing hdev reference on isoconnbigsync hcigetroute returns a reference-counted hcidev pointer via hcidevhold. The function exits normally or with an error without ever releasing it...
Astra Linux – Vulnerability in Linux 6.12
In the Linux kernel, the following vulnerabilities have been resolved: Bluetooth: btusb: mediatek – Fixed a kernel crash that occurred when releasing the mtk iso interface. When performing reset tests and encountering abnormal card drop issues that lead to a kernel crash, it is necessary to perfo...
Astra Linux – Vulnerability in Linux 6.12
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Avoid NULL dereference of btusbmtkclaimisointf In the btusbmtksetup function, we set btmtkdata-isopktintf to: usbifnumtoifdata-udev, MTKISOIFNUM This function may return NULL in some cases. Even when...
CVE-2026-46303
A flaw was found in the Linux kernel's isofs filesystem. This vulnerability allows a local attacker, by mounting a specially crafted ISO image, to read data beyond the boundaries of the intended ISO 9660 volume. This out-of-bounds read could lead to information disclosure, potentially exposing...
CVE-2026-10658
A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In btisorecv subsys/bluetooth/host/iso.c, when processing PB=START/SINGLE fragments, the code pulls a TS SDU header 8 bytes, ts=1 or a non-TS SDU header 4 bytes, ts=0 without firs...