CVE-2025-40294

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()<br /> <br /> In the parse_adv_monitor_pattern() function, the value of<br /> the &amp;#39;length&amp;#39; variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).<br /> The size of the &amp;#39;value&amp;#39; array in the mgmt_adv_pattern structure is 31.<br /> If the value of &amp;#39;pattern[i].length&amp;#39; is set in the user space<br /> and exceeds 31, the &amp;#39;patterns[i].value&amp;#39; array can be accessed<br /> out of bound when copied.<br /> <br /> Increasing the size of the &amp;#39;value&amp;#39; array in<br /> the &amp;#39;mgmt_adv_pattern&amp;#39; structure will break the userspace.<br /> Considering this, and to avoid OOB access revert the limits for &amp;#39;offset&amp;#39;<br /> and &amp;#39;length&amp;#39; back to the value of HCI_MAX_AD_LENGTH.<br /> <br /> Found by InfoTeCS on behalf of Linux Verification Center<br /> (linuxtesting.org) with SVACE.