Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers

Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced
mgmt_pending_valid(), which not only validates the pending command but
also unlinks it from the pending list if it is valid. This change in
semantics requires updates to several completion handlers to avoid list
corruption and memory safety issues.

This patch addresses two left-over issues from the aforementioned rework:

1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()
is replaced with mgmt_pending_free() in the success path. Since
mgmt_pending_valid() already unlinks the command at the beginning of
the function, calling mgmt_pending_remove() leads to a double list_del()
and subsequent list corruption/kernel panic.

2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error
path is removed. Since the current command is already unlinked by
mgmt_pending_valid(), this foreach loop would incorrectly target other
pending mesh commands, potentially freeing them while they are still being
processed concurrently (leading to UAFs). The redundant mgmt_cmd_status()
is also simplified to use cmd->opcode directly.
Published: 2026-05-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper handling of pending Bluetooth management commands in the Linux kernel. A recent change unlinks and frees commands earlier than expected, causing a double list deletion in one completion handler and a use‑after‑free in another. When triggered, this flaw can corrupt the kernel's internal command list or free objects that are still in use. Such memory corruption can lead to kernel panic or allow an attacker to execute arbitrary code with elevated privileges. The description indicates that the bug is fixed in a later commit, so any system running an affected Linux kernel version is susceptible until the patch is applied.

Affected Systems

All Linux kernel releases that include the buggy Bluetooth MGMT code, prior to the 302a1f674c00 update. The affected products are the official Linux kernel provided by the Linux Foundation. No specific version numbers are listed, so the recommendation is to upgrade to any Linux kernel version that includes the patch or later.

Risk and Exploitability

The CVSS score is not provided, but a use‑after‑free in kernel space can be classified as a high‑severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require local control of the Bluetooth stack, though remote exploitation could be possible if the system exposes its Bluetooth service to external agents. Given the severity and the lack of mitigating controls, the risk of privilege escalation remains high until the patch is applied.

Generated by OpenCVE AI on May 5, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version containing commit 302a1f674c00 or later, which fixes the list corruption and use‑after‑free bugs.
  • If an immediate kernel upgrade is not possible, disable the Bluetooth service or block Bluetooth traffic at the network level to prevent any interaction with the vulnerable handlers.
  • Monitor system logs for kernel panics or unexpected crashes, and apply any available security hardening patches that mitigate kernel memory safety issues.

Generated by OpenCVE AI on May 5, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced mgmt_pending_valid(), which not only validates the pending command but also unlinks it from the pending list if it is valid. This change in semantics requires updates to several completion handlers to avoid list corruption and memory safety issues. This patch addresses two left-over issues from the aforementioned rework: 1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove() is replaced with mgmt_pending_free() in the success path. Since mgmt_pending_valid() already unlinks the command at the beginning of the function, calling mgmt_pending_remove() leads to a double list_del() and subsequent list corruption/kernel panic. 2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error path is removed. Since the current command is already unlinked by mgmt_pending_valid(), this foreach loop would incorrectly target other pending mesh commands, potentially freeing them while they are still being processed concurrently (leading to UAFs). The redundant mgmt_cmd_status() is also simplified to use cmd->opcode directly.
Title Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-05T15:17:25.727Z

Reserved: 2026-05-01T14:12:55.981Z

Link: CVE-2026-43059

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T16:16:14.927

Modified: 2026-05-05T16:16:14.927

Link: CVE-2026-43059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T17:30:05Z

Weaknesses