CVE-2026-46140 Overview
CVE-2026-46140 is an out-of-bounds read vulnerability in the Linux kernel's Bluetooth btmtk driver. The flaw affects MediaTek USB Bluetooth devices that exchange Wireless Module Technology (WMT) events with the host. The function btmtk_usb_hci_wmt_sync() casts socket buffer (SKB) data to fixed-size structures without first validating the buffer length. A short or malformed firmware response can trigger reads past the end of allocated SKB memory.
Critical Impact
A crafted or truncated WMT event response from a MediaTek Bluetooth device can cause out-of-bounds reads from SKB tailroom, potentially leaking kernel memory contents or destabilizing the host kernel.
Affected Products
- Linux kernel versions containing the btmtk USB Bluetooth driver
- Systems using MediaTek USB Bluetooth controllers
- Distributions shipping the affected kernel prior to the upstream stable fixes
Discovery Timeline
- 2026-05-28 - CVE-2026-46140 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46140
Vulnerability Analysis
The vulnerability resides in btmtk_usb_hci_wmt_sync() within the Linux kernel's MediaTek Bluetooth driver. The function processes WMT event responses returned over USB. It casts the SKB payload to struct btmtk_hci_wmt_evt, which spans 7 bytes, and in the FUNC_CTRL path additionally casts to struct btmtk_hci_wmt_evt_funcc, which spans 9 bytes.
The driver performs these casts without verifying that the SKB actually contains enough bytes to back the structures. When the device returns a short WMT response, dereferencing fields of the structure reads beyond the populated SKB data into adjacent tailroom memory. This constitutes an out-of-bounds read [CWE-125].
The upstream fix replaces the unchecked cast with skb_pull_data(). This helper validates that the requested length is available and advances the SKB cursor past the base WMT event header. For the FUNC_CTRL case, the patch additionally pulls the status field bytes before access.
Root Cause
The root cause is missing input validation on attacker-influenced data sourced from a USB Bluetooth peripheral. The driver trusts that incoming WMT response frames meet a minimum length before structure interpretation. No length check exists prior to the structure cast and field dereference.
Attack Vector
Exploitation requires a malicious or malfunctioning MediaTek USB Bluetooth device, or an attacker capable of injecting crafted WMT response frames during firmware sync. The attacker must be able to deliver a short WMT event response to the host. The result is an out-of-bounds read from kernel SKB tailroom, with possible information disclosure or kernel instability.
No synthetic exploitation code is provided. Refer to the upstream commits for the precise patched code paths: Kernel Git Commit 624fb79 and Kernel Git Commit c411cf1.
Detection Methods for CVE-2026-46140
Indicators of Compromise
- Kernel log entries referencing btmtk_usb_hci_wmt_sync failures or unexpected WMT event sizes
- KASAN (Kernel Address Sanitizer) reports flagging out-of-bounds reads inside btmtk driver functions
- Unexpected Bluetooth firmware sync errors or stack traces involving btmtk_usb modules
Detection Strategies
- Audit running kernel versions across the fleet to identify systems still loading vulnerable btmtk driver builds
- Enable KASAN on test and pre-production kernels handling Bluetooth hardware to surface out-of-bounds reads during firmware initialization
- Monitor dmesg and journal output for Bluetooth: btmtk warnings correlated with USB device attach events
Monitoring Recommendations
- Centralize kernel logs and alert on repeated btmtk WMT event errors across endpoints
- Track USB device enumeration events for unexpected MediaTek Bluetooth controllers in sensitive environments
- Track upstream stable tree advisories tied to the four referenced commits and confirm distribution backports land in deployed kernel packages
How to Mitigate CVE-2026-46140
Immediate Actions Required
- Apply the upstream stable kernel updates that include the skb_pull_data() validation fix in btmtk_usb_hci_wmt_sync()
- Inventory endpoints, servers, and embedded devices using MediaTek USB Bluetooth adapters and prioritize patching
- Where patching is delayed, disable or unbind the btmtk_usb driver on systems that do not require Bluetooth
Patch Information
The vulnerability is resolved in upstream Linux kernel commits. Review and confirm backports in your distribution kernel by referencing Kernel Git Commit 624fb79, Kernel Git Commit 634a440, Kernel Git Commit 70d37a8, and Kernel Git Commit c411cf1. The fix replaces unchecked structure casts with skb_pull_data() calls that validate buffer length before access.
Workarounds
- Blacklist the btmtk_usb kernel module on systems that do not need MediaTek Bluetooth functionality
- Physically remove or disable MediaTek USB Bluetooth dongles on high-value hosts until patches are applied
- Restrict physical access to USB ports on sensitive systems to prevent attachment of untrusted Bluetooth devices
# Blacklist the affected driver until the kernel is patched
echo "blacklist btmtk_usb" | sudo tee /etc/modprobe.d/blacklist-btmtk.conf
sudo rmmod btmtk_usb 2>/dev/null || true
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
