CVE-2026-46140
A flaw in the Linux kernel's Bluetooth driver (btmtk) fails to verify that incoming firmware responses contain sufficient data before reading from them. If a Bluetooth device sends a truncated or malformed response, the kernel code will read beyond the valid data boundaries, potentially exposing sensitive kernel memory. A local attacker with Bluetooth access could exploit this to leak information or crash the system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-07-04
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: validate WMT event SKB length before struct access btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom. Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The btmtk_usb_hci_wmt_sync() function in the Linux kernel Bluetooth subsystem performs unsafe pointer casts on socket buffer (SKB) data without length validation. Specifically, it casts WMT (Wireless Management Transport) event response data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without confirming the SKB contains the required minimum payload. This allows out-of-bounds reads into SKB tailroom when a firmware response is shorter than expected. The fix introduces skb_pull_data() calls to atomically validate buffer length and advance the read pointer, preventing access to uninitialized or freed memory regions.
Business impact
Systems running vulnerable Linux kernels with Bluetooth hardware are exposed to local privilege escalation and information disclosure. A user with local access and Bluetooth capability (which may include unprivileged processes in permissive configurations) could read kernel memory to extract sensitive data or trigger denial-of-service conditions. In environments where Bluetooth functionality is exposed to untrusted users or guest VMs, this creates a containment breach risk.
Affected systems
All Linux kernel versions containing the vulnerable btmtk driver code are affected. The vulnerability impacts systems with MediaTek Bluetooth USB adapters or integrated Bluetooth chipsets using the btmtk driver. Affected platforms include consumer laptops, edge devices, and IoT systems running Linux with Bluetooth support. Verify your kernel version against the vendor advisory and check dmesg or modinfo for btmtk driver presence.
Exploitability
Exploitation requires local system access and Bluetooth privileges. An attacker cannot trigger this remotely; however, the barrier to exploitation is relatively low—crafting a malformed Bluetooth response or using a compromised Bluetooth device is within reach of determined local users. The vulnerability does not require elevated privileges initially, though triggering reliable information leakage may depend on memory layout and timing. No public exploit code is known at this time, but the flaw is straightforward enough that proof-of-concept development would be feasible for skilled researchers.
Remediation
Apply kernel patches that implement proper SKB length validation using skb_pull_data() before struct member access in the btmtk driver. Verify against the vendor advisory for the exact patch version applicable to your kernel series. Alternatively, disable Bluetooth functionality if not required, or restrict Bluetooth access via LSM policies or userspace permissions until patching is complete.
Patch guidance
Consult the Linux kernel security advisory and your distribution's patch tracking system (e.g., Ubuntu Security Notices, Red Hat Advisories) for the specific kernel version containing the fix. Patch versions vary by stable kernel branch; verify the exact version against your current kernel release. Most distributions will backport this fix to stable and LTS releases. Test patches in a non-production environment before wider deployment, particularly if Bluetooth is critical to your use case.
Detection guidance
Monitor kernel logs for Bluetooth (btmtk) driver errors or memory access warnings. Systems running kernel address sanitizer (KASAN) or other memory safety tools will generate diagnostics on exploitation attempts. Endpoint detection tools tracking unusual Bluetooth device interactions or firmware responses may identify attack attempts, though direct visibility into in-kernel buffer reads is limited without instrumentation. Threat hunting should focus on systems with Bluetooth enabled in untrusted sharing scenarios.
Why prioritize this
This vulnerability scores HIGH (7.1 CVSS) due to high confidentiality impact (kernel memory disclosure) and high availability impact (denial of service). Local exploitability is the main limiting factor; however, in multi-tenant or guest-facing environments, local access may be readily available. The btmtk driver affects a broad range of consumer and embedded systems. Prioritize patching for systems where Bluetooth is exposed to less-trusted users or where kernel memory isolation is a regulatory requirement.
Risk score, explained
CVSS 7.1 reflects the combination of local attack vector (AV:L), low attack complexity (AC:L), low privilege requirement (PR:L), and high impact on confidentiality (C:H) and availability (A:H). The score does not account for integrity impact because out-of-bounds reads do not directly modify kernel state. In environments where local access is tightly controlled, actual risk is lower; in open-access or shared systems, risk approaches the scored level.
Frequently asked questions
Can this vulnerability be exploited remotely over Bluetooth without local system access?
No. Exploitation requires local system access and typically Bluetooth user-group privileges. The flaw is triggered by processing malformed Bluetooth firmware responses, which requires code execution on the affected system to compose and send such responses.
Will a simple kernel update fix this, or do I need to reconfigure my system?
A kernel update incorporating the patch is sufficient. No configuration changes are required post-patch. However, you may wish to audit and restrict Bluetooth access permissions if you have not already done so as a defense-in-depth measure.
How can I tell if my system is running the vulnerable btmtk driver?
Check for btmtk in loaded kernel modules using 'lsmod | grep btmtk' or inspect your Bluetooth hardware via 'lsusb' or 'rfkill list'. If you see MediaTek USB IDs or btmtk in your driver list and your kernel version predates the patch, assume you are affected until verified otherwise.
What is the difference between the two vulnerable struct casts mentioned in the description?
The btmtk_hci_wmt_evt is the base WMT event header (7 bytes) that all responses contain. The btmtk_hci_wmt_evt_funcc is a larger struct (9 bytes) used specifically for FUNC_CTRL event type responses. The vulnerability exists in both cases because neither is bounds-checked before access.
This analysis is based on public vulnerability data and kernel commit information current as of the advisory publish date. Actual risk and patch applicability vary by distribution, kernel version, and system configuration. Test all patches in non-production environments before deployment. Consult your Linux distribution's security advisories and vendor documentation for distribution-specific guidance. SEC.co makes no warranty regarding the completeness or applicability of this analysis to your specific infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGH
CVE-2026-10889: Critical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGH
CVE-2026-10927: Chrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGH
CVE-2026-10941: Skia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGH
CVE-2026-11015: Critical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-46130HIGH
CVE-2026-46130: Linux Kernel dm-verity-fec Out-of-Bounds Read – Vulnerability Details
- CVE-2026-46133HIGH
CVE-2026-46133: Linux RDMA/rxe Kernel Panic via Invalid Opcode DoS
- CVE-2026-46138HIGH
CVE-2026-46138: Linux Bluetooth Kernel Out-of-Bounds Read and DoS Vulnerability
- CVE-2026-10998MEDIUM
CVE-2026-10998: Chrome Media Out-of-Bounds Memory Read Vulnerability