vulnerability

Red Hat: CVE-2025-40294: kernel: Linux kernel: Out-of-bounds write in Bluetooth MGMT can lead to information disclosure and denial of service (Multiple Advisories)

Name: Red Hat: CVE-2025-40294: kernel: Linux kernel: Out-of-bounds write in Bluetooth MGMT can lead to information disclosure and denial of service (Multiple Advisories)
Creator: Red Hat
Published: 2025-12-08T00:00:00.000Z
Keywords: CVE, Red Hat, 2025, 40294, kernel, redhat-upgrade-kernel, redhat-upgrade-kernel-rt, Severity 6

Try Surface Command

Back to search

Severity

CVSS

(AV:L/AC:L/Au:S/C:C/I:P/A:C)

Published

Dec 8, 2025

Added

Jan 27, 2026

Modified

May 13, 2026

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()

In the parse_adv_monitor_pattern() function, the value of
the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).
The size of the 'value' array in the mgmt_adv_pattern structure is 31.
If the value of 'pattern[i].length' is set in the user space
and exceeds 31, the 'patterns[i].value' array can be accessed
out of bound when copied.

Increasing the size of the 'value' array in
the 'mgmt_adv_pattern' structure will break the userspace.
Considering this, and to avoid OOB access revert the limits for 'offset'
and 'length' back to the value of HCI_MAX_AD_LENGTH.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Solutions

redhat-upgrade-kernelredhat-upgrade-kernel-rt

References

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report