CVE-2026-46140

NONE EPSS 3.0%
Published May 28, 20261mo ago · Modified Jun 17, 20261w ago
Find Similar
Published May 28, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: validate WMT event SKB length before struct access btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom. Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.

Threat Intelligence

EPSS Exploit Probability
3.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 4

  • git.kernel.org https://git.kernel.org/stable/c/624fb79dadc1b65757986a9d0fdde5c0cf3fe179
  • git.kernel.org https://git.kernel.org/stable/c/634a4408c0615c523cf7531790f4f14a422b9206
  • git.kernel.org https://git.kernel.org/stable/c/70d37a8b9229e394cc17ddad47e90b81d80fcd09
  • git.kernel.org https://git.kernel.org/stable/c/c411cf1bfde951cfa821809cf4020ba177f76e0c

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.