CVE-2026-46140 Linux CVE debrief

Who should care

Organizations running Linux systems with MediaTek Bluetooth USB adapters; kernel maintainers and distribution security teams responsible for stable kernel backports; embedded/IoT device manufacturers using MediaTek Bluetooth chipsets

Technical summary

The btmtk_usb_hci_wmt_sync() function in the Linux kernel's Bluetooth MediaTek USB driver performed unsafe casts of WMT event response data to fixed-size structures without length validation. The function expected at least 7 bytes for struct btmtk_hci_wmt_evt and 9 bytes for struct btmtk_hci_wmt_evt_funcc, but did not verify SKB data availability before dereferencing. This allowed out-of-bounds reads from SKB tailroom when processing short or malformed firmware responses. The remediation uses skb_pull_data() to atomically validate and consume the base WMT event header, with additional pulls for FUNC_CTRL status fields, ensuring safe access patterns and preventing information disclosure from adjacent memory.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches when available through distribution security channels
• Verify btmtk driver is updated to include skb_pull_data() length validation for WMT event processing
• Monitor kernel security advisories for stable backport availability
• Review systems with MediaTek Bluetooth USB adapters for kernel update status

Evidence notes

Vulnerability description confirms out-of-bounds read via insufficient SKB length validation in btmtk_usb_hci_wmt_sync(). Kernel.org commits provide patch implementation using skb_pull_data() for safe header access.

Official resources