CVE-2026-46140
Bluetooth: btmtk: validate WMT event SKB length before struct access
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: validate WMT event SKB length before struct access btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom. Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.
| Vendor | linux |
| Product | linux |
| Ecosystems | |
| Industries | Technology |
| Published | May 28, 2026 |
| Last Updated | Jun 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for linux linux
Be the first to know when new unknown vulnerabilities affecting linux linux are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Linux / Linux
d019930b0049fc2648a6b279893d8ad330596e81 < c411cf1bfde951cfa821809cf4020ba177f76e0c d019930b0049fc2648a6b279893d8ad330596e81 < 624fb79dadc1b65757986a9d0fdde5c0cf3fe179 d019930b0049fc2648a6b279893d8ad330596e81 < 70d37a8b9229e394cc17ddad47e90b81d80fcd09 d019930b0049fc2648a6b279893d8ad330596e81 < 634a4408c0615c523cf7531790f4f14a422b9206 f0457842215438786e2e205ad06a4fbb8ab63cd0 6.6.142 < 6.7
Linux / Linux
6.11
References
git.kernel.org: https://git.kernel.org/stable/c/c411cf1bfde951cfa821809cf4020ba177f76e0c git.kernel.org: https://git.kernel.org/stable/c/624fb79dadc1b65757986a9d0fdde5c0cf3fe179 git.kernel.org: https://git.kernel.org/stable/c/70d37a8b9229e394cc17ddad47e90b81d80fcd09 git.kernel.org: https://git.kernel.org/stable/c/634a4408c0615c523cf7531790f4f14a422b9206