CVE-2026-53253

HIGHPre-NVD 7.17.1
EchelonGraph scoreHIGH confidence

Score 7.1 from GitHub Security Advisory (severity: HIGH) published 2026-06-25. a secondary CVSS source baseline 7.1; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, secondary
Trending — 4 sources updated this week
7.1
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: bnep: reject short frames before parsing

A BNEP peer can send a short BNEP SDU. bnep_rx_frame() reads the packet type byte immediately and, for control packets, reads the control opcode and setup UUID-size byte before proving that those bytes are present. bnep_rx_control() also dereferences the control opcode without rejecting an empty control payload.

Use skb_pull_data() for the fixed fields in bnep_rx_frame() so a NULL return gates each dereference. Split the control handler so the frame path can pass an opcode that has already been pulled, and keep the byte-buffer wrapper for extension control payloads.

For BNEP_SETUP_CONN_REQ, name the UUID-size byte before pulling the setup payload. struct bnep_setup_conn_req carries destination and source service UUIDs after that byte, each uuid_size bytes, so the parser now documents that tuple explicitly instead of leaving the pull length as an opaque multiplication.

Validation reproduced this kernel report: KASAN slab-out-of-bounds in bnep_rx_frame.isra.0+0x130c/0x1790 The buggy address belongs to the object at ffff88800c0f7908 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes to the right of allocated 1-byte region [ffff88800c0f7908, ffff88800c0f7909) Read of size 1 Call trace: dump_stack_lvl+0xb3/0x140 (?:?) print_address_description+0x57/0x3a0 (?:?) bnep_rx_frame+0x130c/0x1790 (net/bluetooth/bnep/core.c:306) print_report+0xb9/0x2b0 (?:?) __virt_addr_valid+0x1ba/0x3a0 (?:?) srso_alias_return_thunk+0x5/0xfbef5 (?:?) kasan_addr_to_slab+0x21/0x60 (?:?) kasan_report+0xe0/0x110 (?:?) process_one_work+0xfce/0x17e0 (kernel/workqueue.c:3200) worker_thread+0x65c/0xe40 (?:?) __kthread_parkme+0x184/0x230 (?:?) kthread+0x35e/0x470 (?:?) _raw_spin_unlock_irq+0x28/0x50 (?:?) ret_from_fork+0x586/0x870 (?:?) __switch_to+0x74f/0xdc0 (?:?) ret_from_fork_asm+0x1a/0x30 (?:?)

CVSS v3
7.1
EG Score
7.1(high)
EPSS
19.2%
KEV
Not listed

Published

June 25, 2026

Last Modified

June 30, 2026

Advisory Details (7)

Auto-updated Jun 30, 2026
No patch confirmed yet.
generic

Bluetooth: bnep: reject short frames before parsing - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/d76dec1a37122bc16d83d059c08c0512ea8de909
generic

Bluetooth: bnep: reject short frames before parsing - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/c893e17d2809ec9c4b3f1cdd5847cecbc27a311b
generic

Bluetooth: bnep: reject short frames before parsing - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/be837cd09897e9e6e1958174501d467bdcbcc2bc
generic

Bluetooth: bnep: reject short frames before parsing - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/691f14b6a48b637655755134f1e551c7c6fedc2e
generic

Bluetooth: bnep: reject short frames before parsing - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/6770d3a8acdf9151769180cc3710346c4cfbe6f0
generic

Bluetooth: bnep: reject short frames before parsing - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/2b83afb19293e4de700edae306115f18966dc4f9
generic

Bluetooth: bnep: reject short frames before parsing - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/0ef2ea86c82b2615902d085cd5a586fe9f58994f

Vendor Advisories for CVE-2026-53253(2)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 52× in last 7d / 64× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 03:08 UTCEG score recompute
  2. 2026-07-07 03:08 UTCVendor advisory
  3. 2026-07-07 03:08 UTCGHSA enrichment
  4. 2026-07-06 16:27 UTCEPSS rescore
  5. 2026-07-06 16:27 UTCEPSS rescore
  6. 2026-07-06 15:49 UTCEG score recompute
  7. 2026-07-06 15:49 UTCVendor advisory
  8. 2026-07-06 15:48 UTCGHSA enrichment
  9. 2026-07-06 04:29 UTCEG score recompute
  10. 2026-07-06 04:29 UTCVendor advisory
  11. 2026-07-06 04:29 UTCGHSA enrichment
  12. 2026-07-06 02:23 UTCEPSS rescore
  13. 2026-07-06 02:23 UTCEPSS rescore
  14. 2026-07-05 17:08 UTCEG score recompute
  15. 2026-07-05 17:08 UTCVendor advisory
  16. 2026-07-05 17:08 UTCGHSA enrichment
  17. 2026-07-05 05:49 UTCEG score recompute
  18. 2026-07-05 05:49 UTCVendor advisory
  19. 2026-07-05 05:49 UTCGHSA enrichment
  20. 2026-07-05 02:31 UTCEPSS rescore
  21. 2026-07-05 02:30 UTCEPSS rescore
  22. 2026-07-04 18:25 UTCEG score recompute
  23. 2026-07-04 18:25 UTCVendor advisory
  24. 2026-07-04 18:25 UTCGHSA enrichment
  25. 2026-07-04 07:06 UTCEG score recompute
Show 39 more
  1. 2026-07-04 07:06 UTCVendor advisory
  2. 2026-07-04 07:05 UTCGHSA enrichment
  3. 2026-07-04 06:31 UTCEPSS rescore
  4. 2026-07-04 06:31 UTCEPSS rescore
  5. 2026-07-03 19:45 UTCEG score recompute
  6. 2026-07-03 19:45 UTCVendor advisory
  7. 2026-07-03 19:45 UTCGHSA enrichment
  8. 2026-07-03 08:26 UTCEG score recompute
  9. 2026-07-03 08:26 UTCVendor advisory
  10. 2026-07-03 08:26 UTCGHSA enrichment
  11. 2026-07-02 21:08 UTCEG score recompute
  12. 2026-07-02 21:08 UTCVendor advisory
  13. 2026-07-02 21:08 UTCGHSA enrichment
  14. 2026-07-02 09:48 UTCEG score recompute
  15. 2026-07-02 09:48 UTCVendor advisory
  16. 2026-07-02 09:48 UTCGHSA enrichment
  17. 2026-07-01 22:30 UTCEG score recompute
  18. 2026-07-01 22:30 UTCVendor advisory
  19. 2026-07-01 22:30 UTCGHSA enrichment
  20. 2026-07-01 15:07 UTCEPSS rescore
  21. 2026-07-01 11:11 UTCEG score recompute
  22. 2026-07-01 11:11 UTCVendor advisory
  23. 2026-07-01 11:11 UTCGHSA enrichment
  24. 2026-06-30 23:52 UTCEG score recompute 7.10
  25. 2026-06-30 23:52 UTCVendor advisory
  26. 2026-06-30 23:52 UTCGHSA enrichment
  27. 2026-06-30 23:22 UTCEPSS rescore
  28. 2026-06-29 14:06 UTCEPSS rescore
  29. 2026-06-29 14:06 UTCEPSS rescore
  30. 2026-06-28 14:07 UTCEPSS rescore
  31. 2026-06-28 07:52 UTCMITRE cvelistV5CVSS v3 → 7.1 · severity → HIGH
  32. 2026-06-28 04:58 UTCEG score recompute
  33. 2026-06-28 04:58 UTCGHSA enrichment
  34. 2026-06-28 04:56 UTCEPSS rescore
  35. 2026-06-28 04:56 UTCEPSS rescore
  36. 2026-06-27 03:08 UTCEPSS rescore
  37. 2026-06-25 13:49 UTCEPSS rescore
  38. 2026-06-25 10:05 UTCEG score recompute
  39. 2026-06-25 10:05 UTCGHSA enrichment

Frequently asked(5)

What is CVE-2026-53253?
CVE-2026-53253 is a high vulnerability published on June 25, 2026. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bnep: reject short frames before parsing A BNEP peer can send a short BNEP SDU. bneprxframe() reads the packet type byte immediately and, for control packets, reads the control opcode and setup UUID-size byte before…
When was CVE-2026-53253 disclosed?
CVE-2026-53253 was first published in the National Vulnerability Database on June 25, 2026, with the most recent update on June 30, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-53253 actively exploited?
CVE-2026-53253 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 19.2% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-53253?
CVE-2026-53253 has a CVSS v3 base score of 7.1 (NVD).
How do I remediate CVE-2026-53253?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-53253, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-53253

Explore →

Is Your Infrastructure Affected by CVE-2026-53253?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.