CVE-2026-46140

Published: May 28, 2026

Modified: Jun 1, 2026

PUBLISHED

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: validate WMT event SKB length before struct access btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom. Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.

Vendor	Product	Versions
Linux	Linux	affected `d019930b0049fc2648a6b279893d8ad330596e81 - < c411cf1bfde951cfa821809cf4020ba177f76e0c` affected `d019930b0049fc2648a6b279893d8ad330596e81 - < 624fb79dadc1b65757986a9d0fdde5c0cf3fe179` affected `d019930b0049fc2648a6b279893d8ad330596e81 - < 70d37a8b9229e394cc17ddad47e90b81d80fcd09` affected `d019930b0049fc2648a6b279893d8ad330596e81 - < 634a4408c0615c523cf7531790f4f14a422b9206` affected `f0457842215438786e2e205ad06a4fbb8ab63cd0` +1 more versions
Linux	Linux	affected `6.11` unaffected `0 - < 6.11` unaffected `6.12.88 - <= 6.12.` unaffected `6.18.30 - <= 6.18.` unaffected `7.0.7 - <= 7.0.*` +1 more versions

References

https://git.kernel.org/stable/c/c411cf1bfde951cfa821809cf4020ba177f76e0c

https://git.kernel.org/stable/c/624fb79dadc1b65757986a9d0fdde5c0cf3fe179

https://git.kernel.org/stable/c/70d37a8b9229e394cc17ddad47e90b81d80fcd09

https://git.kernel.org/stable/c/634a4408c0615c523cf7531790f4f14a422b9206

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-46140

Description

Affected Products

References