Out-of-Bounds Access in Linux Kernel Bluetooth Functionality
CVE-2025-40294
What is CVE-2025-40294?
In the Linux kernel, a vulnerability was identified within the Bluetooth functionality, specifically in the parse_adv_monitor_pattern() function. This flaw arises from improper limitations on the 'length' variable, which, when manipulated, allows for out-of-bounds access to the 'value' array in the mgmt_adv_pattern structure. As the array is capped at a size of 31, if user input exceeds this size, it may lead to unauthorized access and potential application crashes. To mitigate this issue, it's recommended to revert the limits for 'offset' and 'length' back to HCI_MAX_AD_LENGTH, preventing such access violations and maintaining user space integrity.
Affected Version(s)
Linux 99f30e12e588f9982a6eb1916e53510bff25b3b8 < 96616530f524a0a76248cd44201de0a9e8526190
Linux db08722fc7d46168fe31d9b8a7b29229dd959f9f < 5f7350ff2b179764a4f40ba4161b60b8aaef857b
Linux db08722fc7d46168fe31d9b8a7b29229dd959f9f < 4b7d4aa5399b5a64caee639275615c63c008540d