CVE-2025-40294

Linux Kernel < 6.1.159, 6.2.0-6.6.117, 6.6.0-6.12.58, 6.7.0-6.17.8 - Bluetooth MGMT Adv Monitor Out-of-Bounds Access

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.

References (5)

Core 5

Scores

EPSS 0.0004
EPSS Percentile 13.4%

Details

Status published
Products (17)
linux/Kernel < 6.1.159linux
linux/Kernel 6.2.0 - 6.6.117linux
linux/Kernel 6.6.0 - 6.12.58linux
linux/Kernel 6.7.0 - 6.17.8linux
Linux/Linux < 6.6
Linux/Linux 6.1.159 - 6.1.*
Linux/Linux 6.1.83 - 6.1.159
Linux/Linux 6.12.58 - 6.12.*
Linux/Linux 6.17.8 - 6.17.*
Linux/Linux 6.18
... and 7 more
Published Dec 08, 2025
Tracked Since Feb 18, 2026