Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers

Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced
mgmt_pending_valid(), which not only validates the pending command but
also unlinks it from the pending list if it is valid. This change in
semantics requires updates to several completion handlers to avoid list
corruption and memory safety issues.

This patch addresses two left-over issues from the aforementioned rework:

1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()
is replaced with mgmt_pending_free() in the success path. Since
mgmt_pending_valid() already unlinks the command at the beginning of
the function, calling mgmt_pending_remove() leads to a double list_del()
and subsequent list corruption/kernel panic.

2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error
path is removed. Since the current command is already unlinked by
mgmt_pending_valid(), this foreach loop would incorrectly target other
pending mesh commands, potentially freeing them while they are still being
processed concurrently (leading to UAFs). The redundant mgmt_cmd_status()
is also simplified to use cmd->opcode directly.
Published: 2026-05-05
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by improper handling of pending Bluetooth management commands in the Linux kernel, where previously executed commands are unlinked and freed too early. This misbehavior can corrupt the kernel’s internal command list or dereference freed memory, causing a kernel panic or enabling an attacker to execute arbitrary code with escalated privileges when the affected handlers are invoked.

Affected Systems

All Linux kernel releases that contain the buggy Bluetooth MGMT code before the commit that introduced the fix. The affected product is the official Linux kernel, and the fix is part of the patch that adds mgmt_pending_valid() semantics. No specific version numbers are listed, so any kernel that has not yet incorporated this change is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, and the EPSS score of < 1% reflects a low current exploitation probability. The vulnerability is not included in CISA KEV catalog. When triggered, the flaw can corrupt kernel memory or free objects prematurely. Based on the description, it is inferred that an attacker would need to influence the Bluetooth stack—either through local control of Bluetooth commands or via an exposed Bluetooth service—to exercise the vulnerable handlers. Remote exploitation is possible only if the system’s Bluetooth service is reachable from outside, but this is an inference rather than confirmed data. The risk remains until the kernel is patched with the commit that corrects the list handling logic.

Generated by OpenCVE AI on May 26, 2026 at 15:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version containing the patch that fixes the list corruption and use‑after‑free bugs.
  • If a kernel upgrade cannot be performed immediately, disable Bluetooth services or block Bluetooth traffic at the network level to prevent interaction with the vulnerable code paths.
  • Monitor system logs for kernel panics or crashes that may indicate exploitation attempts and apply any additional kernel hardening patches that address memory safety issues.

Generated by OpenCVE AI on May 26, 2026 at 15:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 06 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Tue, 05 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced mgmt_pending_valid(), which not only validates the pending command but also unlinks it from the pending list if it is valid. This change in semantics requires updates to several completion handlers to avoid list corruption and memory safety issues. This patch addresses two left-over issues from the aforementioned rework: 1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove() is replaced with mgmt_pending_free() in the success path. Since mgmt_pending_valid() already unlinks the command at the beginning of the function, calling mgmt_pending_remove() leads to a double list_del() and subsequent list corruption/kernel panic. 2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error path is removed. Since the current command is already unlinked by mgmt_pending_valid(), this foreach loop would incorrectly target other pending mesh commands, potentially freeing them while they are still being processed concurrently (leading to UAFs). The redundant mgmt_cmd_status() is also simplified to use cmd->opcode directly.
Title Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:06:09.898Z

Reserved: 2026-05-01T14:12:55.981Z

Link: CVE-2026-43059

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T16:16:14.927

Modified: 2026-05-22T12:04:03.663

Link: CVE-2026-43059

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-43059 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:30:08Z

Weaknesses