Linux kernel virtio_bt RX length validation flaw
CVE-2026-46123 is a Linux kernel vulnerability in the Bluetooth virtio_bt driver, fixed under the change titled "Bluetooth: virtio_bt: clamp rx length before skb_put." In the vulnerable path, virtbt_rx_work() passes a device-reported length from virtqueue_get_buf() directly to skb_put(skb, len) without validating that len matches the size of the RX buffer actually exposed to the virtio backend. The RX skb is allocated in virtbt_add_inbuf() and only 1000 bytes are shared with the device via sg_init_one(), but alloc_skb() may leave more tailroom than that. As a result, a malicious or buggy virtio backend can report used.len greater than 1000 but still within skb_tailroom(skb), causing skb_put() to extend the skb over bytes never written by the device and thereby include uninitialized kernel heap memory. The same code path also accepted used.len == 0; in that case, skb_put(skb, 0) leaves the skb empty, but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory. The fix introduces a shared VIRTBT_RX_BUF_SIZE constant used consistently for allocation and scatter-gather exposure, rejects zero-length completions, and bounds RX processing to the actual exposed buffer size.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linux kernel vulnerability in fanotify permission event handling.
A Linux kernel vulnerability in Bluetooth virtio_bt involving insufficient receive length validation before skb_put.
A Linux kernel Bluetooth virtio_bt vulnerability caused by improper validation of device-reported RX buffer length, which could lead to inclusion and consumption of uninitialized kernel heap memory from a malicious or buggy backend.
Linux kernel vulnerability in Bluetooth virtio_bt due to insufficient receive length validation before skb_put.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.