CVE-2026-31772

High

Published: 01 May 2026

Published

01 May 2026

Modified

03 May 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 2.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31772 is a high-severity an unspecified weakness vulnerability in Kernel (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the stack buffer overflow vulnerability by applying Linux kernel patches that increase the DEFINE_FLEX allocation to HCI_MAX_ISO_BIS, preventing the memcpy out-of-bounds write.

SI-16 Memory Protection good match

preventdetect

Implements memory protections like kernel stack canaries that detect and prevent exploitation of the stack buffer overflow in hci_le_big_create_sync during BIS entry copying.

CM-6 Configuration Settings partial match

prevent

Enforces secure kernel configuration settings, such as enabling CONFIG_STACKPROTECTOR, to mitigate buffer overflow risks in the Bluetooth HCI sync module.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Local kernel stack buffer overflow in Bluetooth HCI allows low-privileged attacker to corrupt adjacent stack memory via crafted ISO socket parameters; this directly enables exploitation for privilege escalation (arbitrary code execution in kernel context) with high impact on confidentiality, integrity and availability.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync hci_le_big_create_sync() uses DEFINE_FLEX to allocate a struct hci_cp_le_big_create_sync on the stack with room for 0x11 (17) BIS entries. However, conn->num_bis can hold…

up to HCI_MAX_ISO_BIS (31) entries — validated against ISO_MAX_NUM_BIS (0x1f) in the caller hci_conn_big_create_sync(). When conn->num_bis is between 18 and 31, the memcpy that copies conn->bis into cp->bis writes up to 14 bytes past the stack buffer, corrupting adjacent stack memory. This is trivially reproducible: binding an ISO socket with bc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() will eventually trigger hci_le_big_create_sync() from the HCI command sync worker, causing a KASAN-detectable stack-out-of-bounds write: BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0 Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71 Fix this by changing the DEFINE_FLEX count from the incorrect 0x11 to HCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that conn->bis can actually carry.

Deeper analysisAI

CVE-2026-31772 is a stack buffer overflow vulnerability in the Linux kernel's Bluetooth subsystem, specifically in the hci_le_big_create_sync() function within the HCI sync module. The function allocates a struct hci_cp_le_big_create_sync on the stack using DEFINE_FLEX with space for only 0x11 (17) BIS entries. However, the conn->num_bis value, validated up to HCI_MAX_ISO_BIS (31) by the caller hci_conn_big_create_sync(), can exceed this limit. When conn->num_bis is between 18 and 31, the subsequent memcpy copies up to 14 bytes past the buffer end, corrupting adjacent stack memory.

A local attacker with low privileges can exploit this vulnerability by binding an ISO socket with bc_num_bis set to ISO_MAX_NUM_BIS (31) and calling listen(), which triggers hci_le_big_create_sync() from the HCI command sync worker and causes a detectable stack-out-of-bounds write. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects low attack complexity and high potential impact on confidentiality, integrity, and availability through stack corruption.

Mitigation patches are available in the Linux kernel stable repository, including commits aba0aea354015794e8312dd7efe726967e58aefe, bc39a094730ce062fa034a529c93147c096cb488, eaf32002ca7b1ba51c9f140991fd9febe6de79f0, and f5d446624345d309e7a4a1b27ea9f028d6a8c5d9. These resolve the issue by changing the DEFINE_FLEX count from 0x11 to HCI_MAX_ISO_BIS, ensuring sufficient space for the maximum number of BIS entries in conn->bis.

Details

CWE(s): None listed

Affected Products

Kernel

—

inferred from references and description; NVD did not file a CPE for this CVE

References

https://git.kernel.org/stable/c/aba0aea354015794e8312dd7efe726967e58aefe
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bc39a094730ce062fa034a529c93147c096cb488
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/eaf32002ca7b1ba51c9f140991fd9febe6de79f0
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f5d446624345d309e7a4a1b27ea9f028d6a8c5d9
416baaa9-dc9f-4396-8d5f-8c081fb06d67