CVE-2026-46140

Source
https://cve.org/CVERecord?id=CVE-2026-46140
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46140.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46140
Downstream
Related
Published
2026-05-28T09:35:56.104Z
Modified
2026-07-08T08:13:40.228263532Z
Summary
Bluetooth: btmtk: validate WMT event SKB length before struct access
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btmtk: validate WMT event SKB length before struct access

btmtkusbhciwmtsync() casts the WMT event response SKB data to struct btmtkhciwmtevt (7 bytes) and struct btmtkhciwmtevt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.

Use skbpulldata() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46140.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f0457842215438786e2e205ad06a4fbb8ab63cd0
Fixed
36c85f7029484d5ede769f8873d16e9c8e35533c
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d019930b0049fc2648a6b279893d8ad330596e81
Fixed
c411cf1bfde951cfa821809cf4020ba177f76e0c
Fixed
624fb79dadc1b65757986a9d0fdde5c0cf3fe179
Fixed
70d37a8b9229e394cc17ddad47e90b81d80fcd09
Fixed
634a4408c0615c523cf7531790f4f14a422b9206
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.6.142
Fixed
6.6.144

Affected versions

v6.*
v6.6.142
v6.6.143

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46140.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.144
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.88
Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.18.30
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
7.0.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46140.json"