CVE-2026-46140

EUVD-2026-32767

28.05.2026, 10:16

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btmtk: validate WMT event SKB length before struct access

btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to
struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc
(9 bytes) without first checking that the SKB contains enough data.
A short firmware response causes out-of-bounds reads from SKB tailroom.

Use skb_pull_data() to validate and advance past the base WMT event
header. For the FUNC_CTRL case, pull the additional status field bytes
before accessing them.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.257-1 fixed
forky	7.0.9-1 fixed
sid	7.0.10-1 fixed
trixie	vulnerable
trixie (security)	6.12.90-2 fixed

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder andere nicht näher spezifizierte Auswirkungen zu erzielen.
Published: 2026-05-27T22:00:00+00:00

References

https://git.kernel.org/stable/c/624fb79dadc1b65757986a9d0fdde5c0cf3fe179

https://git.kernel.org/stable/c/634a4408c0615c523cf7531790f4f14a422b9206

https://git.kernel.org/stable/c/70d37a8b9229e394cc17ddad47e90b81d80fcd09

https://git.kernel.org/stable/c/c411cf1bfde951cfa821809cf4020ba177f76e0c