CVE-2026-46140
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
In the Linux kernel, the Bluetooth btmtk driver lacks validation of WMT event response SKB length before accessing its structure. A short firmware response can cause out-of-bounds reads from the SKB tailroom.
Risk Assessment
An attacker could exploit this vulnerability to leak sensitive kernel memory data or cause system instability by sending a crafted firmware response.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit using skb_pull_data()). Monitor security advisories from your distribution.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: validate WMT event SKB length before struct access btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom. Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.

