{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40294","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.185Z","datePublished":"2025-12-08T00:46:17.899Z","dateUpdated":"2026-05-11T21:46:34.068Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:46:34.068Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()\n\nIn the parse_adv_monitor_pattern() function, the value of\nthe 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).\nThe size of the 'value' array in the mgmt_adv_pattern structure is 31.\nIf the value of 'pattern[i].length' is set in the user space\nand exceeds 31, the 'patterns[i].value' array can be accessed\nout of bound when copied.\n\nIncreasing the size of the 'value' array in\nthe 'mgmt_adv_pattern' structure will break the userspace.\nConsidering this, and to avoid OOB access revert the limits for 'offset'\nand 'length' back to the value of HCI_MAX_AD_LENGTH.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/bluetooth/mgmt.h","net/bluetooth/mgmt.c"],"versions":[{"version":"99f30e12e588f9982a6eb1916e53510bff25b3b8","lessThan":"96616530f524a0a76248cd44201de0a9e8526190","status":"affected","versionType":"git"},{"version":"db08722fc7d46168fe31d9b8a7b29229dd959f9f","lessThan":"5f7350ff2b179764a4f40ba4161b60b8aaef857b","status":"affected","versionType":"git"},{"version":"db08722fc7d46168fe31d9b8a7b29229dd959f9f","lessThan":"4b7d4aa5399b5a64caee639275615c63c008540d","status":"affected","versionType":"git"},{"version":"db08722fc7d46168fe31d9b8a7b29229dd959f9f","lessThan":"3a50d59b3781bc3a4e96533612509546a4c309a7","status":"affected","versionType":"git"},{"version":"db08722fc7d46168fe31d9b8a7b29229dd959f9f","lessThan":"8d59fba49362c65332395789fd82771f1028d87e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/bluetooth/mgmt.h","net/bluetooth/mgmt.c"],"versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","status":"unaffected","versionType":"semver"},{"version":"6.1.159","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.117","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.58","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.8","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.83","versionEndExcluding":"6.1.159"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.6.117"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.12.58"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.17.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/96616530f524a0a76248cd44201de0a9e8526190"},{"url":"https://git.kernel.org/stable/c/5f7350ff2b179764a4f40ba4161b60b8aaef857b"},{"url":"https://git.kernel.org/stable/c/4b7d4aa5399b5a64caee639275615c63c008540d"},{"url":"https://git.kernel.org/stable/c/3a50d59b3781bc3a4e96533612509546a4c309a7"},{"url":"https://git.kernel.org/stable/c/8d59fba49362c65332395789fd82771f1028d87e"}],"title":"Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()","x_generator":{"engine":"bippy-1.2.0"}}}}