Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: Fix memory leak in set_ssp_complete

Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures
are not freed after being removed from the pending list.

Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced
mgmt_pending_foreach() calls with individual command handling but missed
adding mgmt_pending_free() calls in both error and success paths of
set_ssp_complete(). Other completion functions like set_le_complete()
were fixed correctly in the same commit.

This causes a memory leak of the mgmt_pending_cmd structure and its
associated parameter data for each SSP command that completes.

Add the missing mgmt_pending_free(cmd) calls in both code paths to fix
the memory leak. Also fix the same issue in set_advertising_complete().
Published: 2026-02-14
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Resource Exhaustion
Action: Patch
AI Analysis

Impact

A memory leak in the Bluetooth management subsystem occurs when SSP (Secure Simple Pairing) completion callbacks fail to free allocated pending command structures. Each completed SSP command retains a mgmt_pending_cmd object and its parameters, consuming kernel memory until the system shuts down. While the CVE does not provide code execution or privilege escalation, the accumulation of unreleased memory can degrade system responsiveness and potentially lead to a device‑wide denial of service if the leak is sufficiently abused, especially on resource‑constrained embedded devices.

Affected Systems

All Linux kernel installations that include the vulnerable Bluetooth management code and have not applied the patch with commit 302a1f674c00. This includes kernel releases up to and including 6.19 RC7. The vulnerability is tied to the Bluetooth subsystem in the mainline Linux kernel, affecting any system that enables the Bluetooth MGMT module or processes SSP requests.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity and the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an attacker’s ability to send a large number of SSP completion triggers to the host, which is possible for devices with a public or exposed Bluetooth interface. Given that the issue leads only to memory exhaustion and not immediate corruption or code execution, the risk is moderate but not negligible for environments that rely on continuous Bluetooth service availability.

Generated by OpenCVE AI on April 18, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the patch for the Bluetooth mgmt memory leak, such as any kernel release newer than 6.19 RC7 or 6.19.1 and later.
  • If a kernel upgrade is not immediately feasible, temporarily disable the Bluetooth mgmt subsystem or restrict exposure (e.g., using firewall rules or disabling Bluetooth services) to reduce the number of SSP interactions that could trigger the leak.
  • Monitor system memory usage for abnormal growth patterns and configure alerts to detect ongoing leaks, enabling proactive mitigation before a full denial of service occurs.

Generated by OpenCVE AI on April 18, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sat, 14 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix memory leak in set_ssp_complete Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures are not freed after being removed from the pending list. Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced mgmt_pending_foreach() calls with individual command handling but missed adding mgmt_pending_free() calls in both error and success paths of set_ssp_complete(). Other completion functions like set_le_complete() were fixed correctly in the same commit. This causes a memory leak of the mgmt_pending_cmd structure and its associated parameter data for each SSP command that completes. Add the missing mgmt_pending_free(cmd) calls in both code paths to fix the memory leak. Also fix the same issue in set_advertising_complete().
Title Bluetooth: MGMT: Fix memory leak in set_ssp_complete
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-14T16:01:19.663Z

Reserved: 2026-01-13T15:37:45.976Z

Link: CVE-2026-23151

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-14T16:15:55.233

Modified: 2026-03-17T21:11:37.000

Link: CVE-2026-23151

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23151 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:30:45Z

Weaknesses