CVE-2026-46140 - Vulnerability Details

- Bluetooth: btmtk: validate WMT event SKB length before struct access

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btmtk: validate WMT event SKB length before struct access

btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to
struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc
(9 bytes) without first checking that the SKB contains enough data.
A short firmware response causes out-of-bounds reads from SKB tailroom.

Use skb_pull_data() to validate and advance past the base WMT event
header. For the FUNC_CTRL case, pull the additional status field bytes
before accessing them.

Published: 2026-05-28

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This flaw occurs when the btmtk USB Bluetooth driver casts the data from a received WMT event into specific structs without verifying that the packet contains enough bytes. The missing check allows an attacker to trigger out‑of‑bounds reads from the packet tailroom, which can expose the contents of kernel memory and potentially crash the system. The vulnerability is therefore a classic out‑of‑bounds read that can lead to information disclosure or a denial‑of‑service if an attacker can deliver a specially constructed, undersized firmware response.

Affected Systems

The affected product is the Linux kernel, specifically the btmtk driver that handles Bluetooth USB devices. No specific kernel version numbers are listed in the CVE, but the vulnerability was fixed in the commit referenced in the advisory. All Linux systems that load the btmtk USB Bluetooth module and receive WMT event responses are potentially impacted.

Risk and Exploitability

The CVSS score is not listed, so we cannot quantify the severity from the data, but an out‑of‑bounds read in the kernel is a high‑severity flaw. EPSS is not available, and the vulnerability is not in the CISA KEV catalog. The likely attack vector is local or via compromised USB/Bluetooth firmware that can send a crafted, short WMT event. An attacker with physical access to a Linux system or control over a Bluetooth USB device could exploit this to read memory or crash the kernel.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d019930b0049fc2648a6b279893d8ad330596e81`	affected	< c411cf1bfde951cfa821809cf4020ba177f76e0c
`d019930b0049fc2648a6b279893d8ad330596e81`	affected	< 624fb79dadc1b65757986a9d0fdde5c0cf3fe179
`d019930b0049fc2648a6b279893d8ad330596e81`	affected	< 70d37a8b9229e394cc17ddad47e90b81d80fcd09
`d019930b0049fc2648a6b279893d8ad330596e81`	affected	< 634a4408c0615c523cf7531790f4f14a422b9206

Linux

affected

Version	Status	Constraints
`6.11`	affected	—
`0`	unaffected	< 6.11
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc3`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[d019930b0049fc2648a6b279893d8ad330596e81,c411cf1bfde951cfa821809cf4020ba177f76e0c)`	affected	code_commit	—
`[d019930b0049fc2648a6b279893d8ad330596e81,624fb79dadc1b65757986a9d0fdde5c0cf3fe179)`	affected	code_commit	—
`[d019930b0049fc2648a6b279893d8ad330596e81,70d37a8b9229e394cc17ddad47e90b81d80fcd09)`	affected	code_commit	—
`[d019930b0049fc2648a6b279893d8ad330596e81,634a4408c0615c523cf7531790f4f14a422b9206)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.11`	affected	generic	—
`[0,6.11)`	unaffected	semver	—
`[6.12.88,6.13.0)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,7.1.0)`	unaffected	semver	—
`[7.1-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel update that includes the fix for CVE-2026-46140 (commit 624fb79dadc1b65757986a9d0fdde5c0cf3fe179 or any later stable release).
If immediate update is not possible, disable the btmtk USB Bluetooth module or block its related USB classes to prevent the vulnerable code from loading.
Verify that the firmware on the Bluetooth USB device has been updated to a version that no longer sends overly short WMT event responses, or apply a temporary local kernel patch that adds skb_pull_data() checks before accessing the struct fields.

Generated by OpenCVE AI on May 28, 2026 at 11:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/624fb79dadc1b65757986a9d0fdde5c0cf3fe179
https://git.kernel.org/stable/c/634a4408c0615c523cf7531790f4f14a422b9206
https://git.kernel.org/stable/c/70d37a8b9229e394cc17ddad47e90b81d80fcd09
https://git.kernel.org/stable/c/c411cf1bfde951cfa821809cf4020ba177f76e0c

History

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: validate WMT event SKB length before struct access btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom. Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.
Title		Bluetooth: btmtk: validate WMT event SKB length before struct access
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/624fb79dadc1b65757986a9d0fdde5c0cf3fe179 https://git.kernel.org/stable/c/634a4408c0615c523cf7531790f4f14a422b9206 https://git.kernel.org/stable/c/70d37a8b9229e394cc17ddad47e90b81d80fcd09 https://git.kernel.org/stable/c/c411cf1bfde951cfa821809cf4020ba177f76e0c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:35:56.104Z

Updated: 2026-05-28T09:35:56.104Z

Reserved: 2026-05-13T15:03:33.100Z

Link: CVE-2026-46140

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:29.580

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46140

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T12:45:06Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object