CVE-2025-40213

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete<br /> <br /> There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to<br /> memcpy from badly declared on-stack flexible array.<br /> <br /> Another crash is in set_mesh_complete() due to double list_del via<br /> mgmt_pending_valid + mgmt_pending_remove.<br /> <br /> Use DEFINE_FLEX to declare the flexible array right, and don&amp;#39;t memcpy<br /> outside bounds.<br /> <br /> As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free,<br /> and also report status on error.