CVE-2026-53209

HIGHPre-NVD 7.87.8
EchelonGraph scoreHIGH confidence

Score 7.8 from GitHub Security Advisory (severity: HIGH) published 2026-06-25. a secondary CVSS source baseline 7.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, secondary
Trending — 4 sources updated this week
7.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend

Existing advertising instances can already hold the maximum extended advertising payload. When hci_adv_bcast_annoucement() prepends the Broadcast Announcement service data to that payload, the combined data may no longer fit in the temporary buffer used to rebuild the advertising data.

Reject that case before copying the existing payload and report the failure through the device log. This keeps the existing advertising data intact and avoids overrunning the temporary buffer.

CVSS v3
7.8
EG Score
7.8(high)
EPSS
3.6%
KEV
Not listed

Published

June 25, 2026

Last Modified

July 2, 2026

Advisory Details (6)

Auto-updated Jun 28, 2026
No patch confirmed yet.
generic

Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/dafc9f57140e66a10945127aa7433c3d715dc253
generic

Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/cdd8bbdbee763fdf5bf343e6f7d4e79347739f62
generic

Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/5c65b96b549ea2dcfde497436bf9e048deb87758
generic

Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/1338ee049a8910ba6c9cee963920e978e6893c7d
generic

Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/10b0e832cc05d7aef4b92bed912cbd4a395d0862
generic

Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/02f50e8bb69f9b22516163a09922f5537d3b12d1

Vendor Advisories for CVE-2026-53209(2)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 52× in last 7d / 64× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 05:51 UTCEG score recompute
  2. 2026-07-07 05:51 UTCVendor advisory
  3. 2026-07-07 05:51 UTCGHSA enrichment
  4. 2026-07-06 18:41 UTCEG score recompute
  5. 2026-07-06 18:41 UTCVendor advisory
  6. 2026-07-06 18:40 UTCGHSA enrichment
  7. 2026-07-06 16:27 UTCEPSS rescore
  8. 2026-07-06 16:27 UTCEPSS rescore
  9. 2026-07-06 07:31 UTCEG score recompute
  10. 2026-07-06 07:31 UTCVendor advisory
  11. 2026-07-06 07:31 UTCGHSA enrichment
  12. 2026-07-06 02:23 UTCEPSS rescore
  13. 2026-07-06 02:23 UTCEPSS rescore
  14. 2026-07-05 20:21 UTCEG score recompute
  15. 2026-07-05 20:21 UTCVendor advisory
  16. 2026-07-05 20:21 UTCGHSA enrichment
  17. 2026-07-05 09:13 UTCEG score recompute
  18. 2026-07-05 09:13 UTCVendor advisory
  19. 2026-07-05 09:13 UTCGHSA enrichment
  20. 2026-07-05 02:31 UTCEPSS rescore
  21. 2026-07-05 02:30 UTCEPSS rescore
  22. 2026-07-04 22:02 UTCEG score recompute
  23. 2026-07-04 22:02 UTCVendor advisory
  24. 2026-07-04 22:02 UTCGHSA enrichment
  25. 2026-07-04 10:53 UTCEG score recompute
Show 39 more
  1. 2026-07-04 10:53 UTCVendor advisory
  2. 2026-07-04 10:53 UTCGHSA enrichment
  3. 2026-07-04 06:31 UTCEPSS rescore
  4. 2026-07-04 06:31 UTCEPSS rescore
  5. 2026-07-03 23:45 UTCEG score recompute
  6. 2026-07-03 23:45 UTCVendor advisory
  7. 2026-07-03 23:45 UTCGHSA enrichment
  8. 2026-07-03 12:37 UTCEG score recompute
  9. 2026-07-03 12:37 UTCVendor advisory
  10. 2026-07-03 12:36 UTCGHSA enrichment
  11. 2026-07-03 00:37 UTCEG score recompute
  12. 2026-07-03 00:37 UTCVendor advisory
  13. 2026-07-03 00:37 UTCGHSA enrichment
  14. 2026-07-02 13:28 UTCEG score recompute
  15. 2026-07-02 13:28 UTCVendor advisory
  16. 2026-07-02 13:28 UTCGHSA enrichment
  17. 2026-07-02 02:20 UTCEG score recompute
  18. 2026-07-02 02:20 UTCVendor advisory
  19. 2026-07-02 02:20 UTCGHSA enrichment
  20. 2026-07-01 15:11 UTCEG score recompute
  21. 2026-07-01 15:11 UTCVendor advisory
  22. 2026-07-01 15:11 UTCGHSA enrichment
  23. 2026-07-01 15:07 UTCEPSS rescore
  24. 2026-07-01 04:03 UTCEG score recompute 7.80
  25. 2026-07-01 04:03 UTCVendor advisory
  26. 2026-07-01 04:02 UTCGHSA enrichment
  27. 2026-06-30 23:22 UTCEPSS rescore
  28. 2026-06-29 14:06 UTCEPSS rescore
  29. 2026-06-29 14:06 UTCEPSS rescore
  30. 2026-06-28 14:07 UTCEPSS rescore
  31. 2026-06-28 07:52 UTCMITRE cvelistV5CVSS v3 → 7.8 · severity → HIGH
  32. 2026-06-28 07:05 UTCEG score recompute
  33. 2026-06-28 07:05 UTCGHSA enrichment
  34. 2026-06-28 04:56 UTCEPSS rescore
  35. 2026-06-28 04:56 UTCEPSS rescore
  36. 2026-06-27 03:08 UTCEPSS rescore
  37. 2026-06-25 13:49 UTCEPSS rescore
  38. 2026-06-25 10:07 UTCEG score recompute
  39. 2026-06-25 10:07 UTCGHSA enrichment

Frequently asked(5)

What is CVE-2026-53209?
CVE-2026-53209 is a high vulnerability published on June 25, 2026. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend Existing advertising instances can already hold the maximum extended advertising payload. When hciadvbcast_annoucement() prepends the Broadcast Announcement…
When was CVE-2026-53209 disclosed?
CVE-2026-53209 was first published in the National Vulnerability Database on June 25, 2026, with the most recent update on July 2, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-53209 actively exploited?
CVE-2026-53209 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 3.6% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-53209?
CVE-2026-53209 has a CVSS v3 base score of 7.8 (NVD).
How do I remediate CVE-2026-53209?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-53209, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-53209

Explore →

Is Your Infrastructure Affected by CVE-2026-53209?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.