CVE-2025-40294

Name	CVE-2025-40294
Description	In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
linux (PTS)	bullseye	5.10.223-1	fixed
	bullseye (security)	5.10.247-1	fixed
	bookworm	6.1.148-1	vulnerable
	bookworm (security)	6.1.158-1	vulnerable
	trixie	6.12.57-1	vulnerable
	trixie (security)	6.12.48-1	vulnerable
	forky	6.17.9-1	fixed
	sid	6.17.11-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
linux	source	bullseye	(not affected)
linux	source	(unstable)	6.17.8-1

[bullseye] - linux <not-affected> (Vulnerable code not present)
https://git.kernel.org/linus/8d59fba49362c65332395789fd82771f1028d87e (6.18-rc5)