CVE-2025-40294

Description

In the Linux kernel, the following vulnerability has been resolved:Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()In the parse_adv_monitor_pattern() function, the value ofthe length variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).The size of the value array in the mgmt_adv_pattern structure is 31.If the value of pattern[i].length is set in the user spaceand exceeds 31, the patterns[i].value array can be accessedout of bound when copied.Increasing the size of the value array inthe mgmt_adv_pattern structure will break the userspace.Considering this, and to avoid OOB access revert the limits for offsetand length back to the value of HCI_MAX_AD_LENGTH.Found by InfoTeCS on behalf of Linux Verification Center(linuxtesting.org) with SVACE.

Risk Information

Base Score

7.3

MODERATE

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

EPSS Score

Exploitation Probability

0.039

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234