A long-running gap in the National Vulnerability Database’s configuration mapping for a serious Linux kernel flaw was finally closed on June 24, 2026, giving enterprise security teams the missing piece they needed to automate detection and remediation. CVE-2026-46140, a vulnerablity in the MediaTek btmtk Bluetooth USB driver, had until now lacked precise CPE (Common Platform Enumeration) data—making it impossible for most vulnerability scanners to identify affected Linux systems. The NVD update lists specific kernel version ranges known to be vulnerable, allowing defenders to finally prioritize patching with confidence.
Understanding CVE-2026-46140
First disclosed earlier in 2026, CVE-2026-46140 is a security flaw in the btmtk driver within the Linux kernel. This driver handles Bluetooth communication for MediaTek’s widely used wireless chips, found in everything from Chromebooks and Android tablets to embedded IoT devices. While the full technical details remain under restricted disclosure, typical Bluetooth driver bugs can be exploited by an attacker within radio range to crash the system, leak sensitive information, or execute arbitrary code with kernel privileges. Security researchers have described similar past bugs in other Bluetooth stacks as “wormable” under certain conditions, allowing proximity-based propagation.
The btmtk bug was fixed in the upstream kernel some weeks before the NVD update, but without accurate affected-version data, automated tools like Nessus, Qualys, and OpenSCAP could not report on the vulnerability unless manually imported or coarsely checked against a full kernel version list. The new CPE entry changes that, binding the CVE to precise Linux kernel version ranges.
Why CPE Coverage Matters
CPE is a structured naming scheme for IT products: it specifies vendor, product, version, and other attributes. In vulnerability management, CPE matching is the backbone of automated detection—scanners query the NVD, map installed software to known CPEs, and flag any CVE linked to those CPEs. Without a CPE list, a CVE is essentially invisible to most compliance dashboards and incident response workflows. Security teams are forced to triage such holes manually, often leading to dangerous delays.
For this reason, the addition of “affected configuration” data to CVE-2026-46140 is a significant operational step. It means organizations can now build accurate audit checks, apply overlay files to their vulnerability scanners, and set up automated patch policies that directly reference the stated kernel versions.
Affected Linux Kernel Versions
The NVD update specifies several disjoint version ranges, each corresponding to a different stable or long-term support tree. These ranges are:
| Kernel Series | Vulnerable Version Range | Notes |
|---|---|---|
| 6.6.x LTS | 6.6.142 through <6.7 | Affects 6.6 long-term; fixed in 6.6.143+ |
| 6.11.x – 6.12.x | 6.11 through <6.12.88 | Mainline 6.11 through early 6.12 stable |
| 6.13.x – 6.18.x | 6.13 through <6.18.30 | Multiple stable releases affected |
| 6.19.x – 7.0.x | 6.19 through <7.0.7 | Up to and including early 7.0 releases |
| 7.1 release candidate | 7.1-rc (all) | Fixed before 7.1 final |
The ranges show that the bug was backported to several stable kernels, including the 6.6 LTS branch which is used by many enterprise distributions. The 7.1 release candidate was also vulnerable, meaning that users who had already adopted the early 7.1 RCs for testing should upgrade to the final 7.1 release or later.
What This Means for Administrators
If your organization runs any Linux systems with MediaTek Bluetooth hardware, you should immediately review kernel versions. The CPE data now allows you to:
- Run a credentialed scan to detect all Linux hosts matching the listed kernel ranges.
- Cross-reference your hardware inventory for MediaTek Bluetooth adapters (USB IDs 0x0e8d and similar).
- Prioritize patching for internet-facing or mobile devices that could be targeted over Bluetooth in public spaces.
Many distributions backport security fixes without changing the base kernel version, which can complicate detection. For example, Red Hat, Ubuntu, or SUSE may release an update that still carries the same version string but includes the btmtk fix. In such cases, you may need to check the distribution’s security advisory rather than relying solely on kernel version. The CPE ranges in NVD are based on upstream stable releases, so they are a starting point you must correlate with your OS vendor’s patch level.
MediaTek Bluetooth Chips and Windows Systems
While the vulnerability itself resides in the Linux kernel, the hardware at the heart of the issue—MediaTek Bluetooth chips—is platform-agnostic. Many Windows laptops from Lenovo, ASUS, and Acer ship with MediaTek Wi-Fi+Bluetooth combo cards (for example, the MT7921 and MT7922). These same silicon components are used in Chromebooks and ARM-based Windows devices as well.
Windows drivers for MediaTek Bluetooth are entirely different codebases, so this CVE does not directly apply. However, history shows that similar Bluetooth firmware and driver flaws often appear across platforms when a shared hardware component is involved. Security researchers have cross‑ported exploits between Linux and Windows Bluetooth stacks before. For Windows users, the takeaway is to keep an eye on any corresponding Microsoft or MediaTek security advisories and to keep Bluetooth firmware updated—especially if you dual-boot Linux or run Windows Subsystem for Linux (WSL) with kernel updates that may indirectly affect host Bluetooth behavior.
How to Mitigate
The most direct mitigation is to update the Linux kernel to a version outside the vulnerable ranges mentioned above. For example:
- 6.6 LTS users → upgrade to 6.6.143 or later.
- 6.12 stable users → upgrade to 6.12.88 or later.
- 6.18 stable users → upgrade to 6.18.30 or later.
- 7.0 series → upgrade to 7.0.7 or later.
- 7.1 RC testers → move to the final 7.1 release.
If immediate patching isn’t possible, temporary workarounds include disabling the btmtk kernel module (if Bluetooth isn’t essential) or blacklisting the module entirely. This can be done with modprobe -r btmtk and adding blacklist btmtk to /etc/modprobe.d/. Bear in mind, however, that other Bluetooth chips on the same system might rely on a different driver, but any MediaTek adapter will cease functioning.
For IoT and embedded devices, check with the manufacturer for firmware updates that include the latest kernel patches. In many consumer devices, updating the kernel is not straightforward—you may be forced to replace the hardware if a patch isn’t provided.
A Win for Vulnerability Automation
The NVD’s move to close the CPE gap for CVE-2026-46140 is a direct response to longstanding criticism from the security community about incomplete CPE data delaying critical fixes. Automated operations teams have long argued that a CVE without configuration entries is a “dark hole” in their scanning posture. With this update, NIST is reinforcing its commitment seen in recent years to improve CPE coverage for Linux kernel vulnerabilities, following similar work on other high-profile bugs.
For any security operations center, the lesson is clear: never assume that a CVE’s absence of CPE data means a small impact. Always verify the underlying information and subscribe to distribution-specific announcements. Organizations that rely solely on NVD feeds for their patch management should now see CVE-2026-46140 light up their dashboards, providing the urgency needed to protect Linux endpoints against proximity attacks.
In the long run, as more devices embed MediaTek connectivity solutions, cross-platform vulnerability coordination will become ever more critical. Today’s CPE update is a small administrative step, but for the overworked sysadmin tracking hundreds of Linux boxes, it’s the difference between a known risk and an invisible one.