CVE-2025-40294

Root

Cause

The vulnerability resides in parse_adv_monitor_pattern() within the Bluetooth MGMT subsystem of the Linux kernel. The function limits the length variable to HCI_MAX_EXT_AD_LENGTH (251), but the value array in the mgmt_adv_pattern structure has a fixed size of 31. When a user-space application sets pattern[i].length to a value greater than 31, the subsequent copy operation writes beyond the bounds of patterns[i].value, triggering an out-of-bounds (OOB) access [1][2].

Exploitation

Path

An attacker with the ability to send crafted MGMT commands from user space can exploit this flaw. No authentication is needed beyond the ability to interact with the Bluetooth subsystem via the MGMT socket. By supplying a length field exceeding 31 but within the 251 limit, the attacker forces an OOB write, potentially corrupting adjacent kernel memory [1][2].

Impact

Successful exploitation may lead to memory corruption, system crash (denial of service), or potentially arbitrary code execution in kernel context. The vulnerability was discovered by InfoTeCS on behalf of the Linux Verification Center (linuxtesting.org) using the SVACE static analysis tool [1][2].

Mitigation

The fix reverts the limits for offset and length back to HCI_MAX_AD_LENGTH, preventing the mismatch between user-supplied length and the fixed-size internal buffer. Affected stable kernels have received the patch; users should update to the latest kernel version containing the commit. No workaround is available [1][2].