Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete

This fixes the condition checking so mgmt_pending_valid is executed
whenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd)
would kfree(cmd) without unlinking it from the list first, leaving a
dangling pointer. Any subsequent list traversal (e.g.,
mgmt_pending_foreach during __mgmt_power_off, or another
mgmt_pending_valid call) would dereference freed memory.
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use-After-Free
Action: Patch
AI Analysis

Impact

The flaw arises from a dangling pointer in the Linux kernel Bluetooth MGMT code, corresponding to CWE‑416 use‑after‑free and CWE‑825 use‑after‑free. When a pending command is freed without unlinking it from the internal list, a stale pointer remains. Subsequent list traversals, such as those performed during power‑off or additional validation calls, dereference this freed memory, leading to kernel memory corruption and crashes. The potential for arbitrary code execution is inferred from the nature of the vulnerability but is not explicitly stated in the CVE description.

Affected Systems

All Linux kernel releases that contain the legacy mgmt_add_adv_patterns_monitor_complete implementation and have not yet incorporated the vendor‑supplied patch are affected. Devices exposing a Bluetooth management interface on these kernels are at risk.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score is less than 1%, indicating a low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. It resides in privileged kernel code and could be triggered by an unauthenticated user sending crafted Bluetooth MGMT packets, an attack vector that is inferred from the nature of the vulnerability but is not explicitly described. An attacker could cause a crash (denial of service) or potentially execute code with elevated privileges, depending on the execution context of the freed memory; these outcomes are also inferred and not explicitly detailed in the CVE description.

Generated by OpenCVE AI on April 28, 2026 at 20:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the mgmt_add_adv_patterns_monitor_complete fix from your vendor.
  • Reboot the system so the updated kernel and Bluetooth modules take effect.
  • If an immediate kernel update is not possible, stop or disable the Bluetooth service to reduce exposure until the patch can be applied.

Generated by OpenCVE AI on April 28, 2026 at 20:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Sun, 17 May 2026 15:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete This fixes the condition checking so mgmt_pending_valid is executed whenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd) would kfree(cmd) without unlinking it from the list first, leaving a dangling pointer. Any subsequent list traversal (e.g., mgmt_pending_foreach during __mgmt_power_off, or another mgmt_pending_valid call) would dereference freed memory.
Title Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-17T15:21:31.315Z

Reserved: 2026-03-09T15:48:24.106Z

Link: CVE-2026-31511

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-04-22T14:16:50.343

Modified: 2026-05-17T16:16:15.813

Link: CVE-2026-31511

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31511 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:00:14Z

Weaknesses