{"id":"CVE-2025-40294","summary":"Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()\n\nIn the parse_adv_monitor_pattern() function, the value of\nthe 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).\nThe size of the 'value' array in the mgmt_adv_pattern structure is 31.\nIf the value of 'pattern[i].length' is set in the user space\nand exceeds 31, the 'patterns[i].value' array can be accessed\nout of bound when copied.\n\nIncreasing the size of the 'value' array in\nthe 'mgmt_adv_pattern' structure will break the userspace.\nConsidering this, and to avoid OOB access revert the limits for 'offset'\nand 'length' back to the value of HCI_MAX_AD_LENGTH.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE.","modified":"2026-03-20T12:43:15.138715Z","published":"2025-12-08T00:46:17.899Z","related":["ALSA-2026:1143","ALSA-2026:1690","MGASA-2026-0017","MGASA-2026-0018","SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","openSUSE-SU-2026:20145-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40294.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3a50d59b3781bc3a4e96533612509546a4c309a7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4b7d4aa5399b5a64caee639275615c63c008540d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5f7350ff2b179764a4f40ba4161b60b8aaef857b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8d59fba49362c65332395789fd82771f1028d87e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/96616530f524a0a76248cd44201de0a9e8526190"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40294.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40294"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"99f30e12e588f9982a6eb1916e53510bff25b3b8"},{"fixed":"96616530f524a0a76248cd44201de0a9e8526190"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"db08722fc7d46168fe31d9b8a7b29229dd959f9f"},{"fixed":"5f7350ff2b179764a4f40ba4161b60b8aaef857b"},{"fixed":"4b7d4aa5399b5a64caee639275615c63c008540d"},{"fixed":"3a50d59b3781bc3a4e96533612509546a4c309a7"},{"fixed":"8d59fba49362c65332395789fd82771f1028d87e"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40294.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.159"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.117"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.6.0"},{"fixed":"6.12.58"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.17.8"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40294.json"}}],"schema_version":"1.7.5"}