Linux Kernel RFCOMM OOB Read via Truncated MCC Frames
CVE-2026-53254 Published on June 25, 2026
Bluetooth: RFCOMM: validate skb length in MCC handlers
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: RFCOMM: validate skb length in MCC handlers
The RFCOMM MCC handlers cast skb->data to protocol-specific structs
without validating skb->len first. A malicious remote device can send
truncated MCC frames and trigger out-of-bounds reads in these handlers.
Fix this by using skb_pull_data() to validate and access the required
data before dereferencing it.
rfcomm_recv_rpn() requires special handling since ETSI TS 07.10 allows
1-byte RPN requests. Handle this by validating only the DLCI byte first,
and validating the full struct only when len > 1.
Products Associated with CVE-2026-53254
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 7c15c7c2878957cbfed93bcc29c13fdace464254 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 0d637136ce89f9a2309b2c3502402ce400dab0ef is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 98377e6b1a1a56561ec66a181573ea2b61b2079e is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 1b070ac9e99c2c2c3a8112943ca98ab6fca7f10c is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 3eabc6d47a0ad22b053329997aaf0ec1e581e392 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 08b9c1fbe78f4ad3f6250c6541cfaabdbeb81997 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 23882b828c3c8c51d0c946446a396b10abb3b16b is affected.
- Version 2.6.12 is affected.
- Before 2.6.12 is unaffected.
- Version 5.15.210, <= 5.15.* is unaffected.
- Version 6.1.176, <= 6.1.* is unaffected.
- Version 6.6.143, <= 6.6.* is unaffected.
- Version 6.12.94, <= 6.12.* is unaffected.
- Version 6.18.36, <= 6.18.* is unaffected.
- Version 7.0.13, <= 7.0.* is unaffected.
- Version 7.1, <= * is unaffected.