CVE Catalog

CVE-2026-46140

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile - higher than 3% of all known CVEs

Summary

In the Linux kernel, the Bluetooth btmtk driver lacks validation of WMT event response SKB length before accessing its structure. A short firmware response can cause out-of-bounds reads from the SKB tailroom.

Risk Assessment

An attacker could exploit this vulnerability to leak sensitive kernel memory data or cause system instability by sending a crafted firmware response.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit using skb_pull_data()). Monitor security advisories from your distribution.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: validate WMT event SKB length before struct access btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom. Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS