Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: validate mesh send advertising payload length

mesh_send() currently bounds MGMT_OP_MESH_SEND by total command
length, but it never verifies that the bytes supplied for the
flexible adv_data[] array actually match the embedded adv_data_len
field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a
truncated command can still pass the existing 20..50 byte range
check and later drive the async mesh send path past the end of the
queued command buffer.

Keep rejecting zero-length and oversized advertising payloads, but
validate adv_data_len explicitly and require the command length to
exactly match the flexible array size before queueing the request.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel Bluetooth management layer, the mesh_send() routine verifies only the overall command length but does not confirm that the advertised data length field matches the size of the payload array. This oversight (CWE‑130) allows a crafted, truncated command to bypass existing checks and cause the asynchronous mesh send path to read past the end of the queued buffer, creating a memory corruption condition that can be abused to execute arbitrary code with kernel privileges.

Affected Systems

All Linux kernel variants that incorporate the Bluetooth MGMT interface are potentially impacted. No precise version range is given, so any kernel that contains the unpatched Bluetooth code and processes mesh send commands may be vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity, the EPSS score of < 1% indicates a very low exploitation probability, and it is not listed in the CISA KEV catalog. Based on the description, the attack vector is most likely remote via a Bluetooth connection, though the required preconditions are not fully detailed. Successful exploitation would trigger a memory corruption in the kernel through the mesh send path, potentially leading to privilege escalation to kernel level if an attacker can control the result of the asynchronous operation.

Generated by OpenCVE AI on May 8, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that incorporates the patch from commit 0b706fb2294aff3adfd54653bda1b5e356ad4566 or later, or apply the patch directly to the source, then rebuild and install the kernel.
  • Reboot the affected systems to load the updated kernel and ensure the patched Bluetooth code is active.
  • If Bluetooth mesh functionality is not required, disable it by removing the mesh module or adjusting the Bluetooth configuration to reject mesh send commands.

Generated by OpenCVE AI on May 8, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 08 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate mesh send advertising payload length mesh_send() currently bounds MGMT_OP_MESH_SEND by total command length, but it never verifies that the bytes supplied for the flexible adv_data[] array actually match the embedded adv_data_len field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a truncated command can still pass the existing 20..50 byte range check and later drive the async mesh send path past the end of the queued command buffer. Keep rejecting zero-length and oversized advertising payloads, but validate adv_data_len explicitly and require the command length to exactly match the flexible array size before queueing the request.
Title Bluetooth: MGMT: validate mesh send advertising payload length
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:05.863Z

Reserved: 2026-05-01T14:12:55.975Z

Link: CVE-2026-43017

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:45.837

Modified: 2026-05-08T14:13:28.580

Link: CVE-2026-43017

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43017 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T20:30:16Z

Weaknesses