CVE-2026-46140

{"id": "CVE-2026-46140", "cveTags": [], "metrics": {}, "published": "2026-05-28T10:16:29.580", "references": [{"url": "https://git.kernel.org/stable/c/624fb79dadc1b65757986a9d0fdde5c0cf3fe179", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/634a4408c0615c523cf7531790f4f14a422b9206", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/70d37a8b9229e394cc17ddad47e90b81d80fcd09", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c411cf1bfde951cfa821809cf4020ba177f76e0c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtk: validate WMT event SKB length before struct access\n\nbtmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to\nstruct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc\n(9 bytes) without first checking that the SKB contains enough data.\nA short firmware response causes out-of-bounds reads from SKB tailroom.\n\nUse skb_pull_data() to validate and advance past the base WMT event\nheader. For the FUNC_CTRL case, pull the additional status field bytes\nbefore accessing them."}], "lastModified": "2026-05-28T13:44:01.663", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}