CVE-2026-46140
published 2026-05-28CVE-2026-46140: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: validate WMT event SKB length before struct access…
medium5.5
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btmtk: validate WMT event SKB length before struct access
btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to
struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc
(9 bytes) without first checking that the SKB contains enough data.
A short firmware response causes out-of-bounds reads from SKB tailroom.
Use skb_pull_data() to validate and advance past the base WMT event
header. For the FUNC_CTRL case, pull the additional status field bytes
before accessing them.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux | — | — |
| linux | linux | — | — |
| linux | linux | >= 6.6.142 < 6.7 | 6.7 |
| linux | linux | >= d019930b0049fc2648a6b279893d8ad330596e81 < c411cf1bfde951cfa821809cf4020ba177f76e0c | c411cf1bfde951cfa821809cf4020ba177f76e0c |
| linux | linux | >= d019930b0049fc2648a6b279893d8ad330596e81 < 624fb79dadc1b65757986a9d0fdde5c0cf3fe179 | 624fb79dadc1b65757986a9d0fdde5c0cf3fe179 |
| linux | linux | >= d019930b0049fc2648a6b279893d8ad330596e81 < 70d37a8b9229e394cc17ddad47e90b81d80fcd09 | 70d37a8b9229e394cc17ddad47e90b81d80fcd09 |
| linux | linux | >= d019930b0049fc2648a6b279893d8ad330596e81 < 634a4408c0615c523cf7531790f4f14a422b9206 | 634a4408c0615c523cf7531790f4f14a422b9206 |
| linux | linux_kernel | — | — |