Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_ll: Fix firmware leak on error path

Smatch reports:

drivers/bluetooth/hci_ll.c:587 download_firmware() warn:
'fw' from request_firmware() not released on lines: 544.

In download_firmware(), if request_firmware() succeeds but the returned
firmware content is invalid (no data or zero size), the function returns
without releasing the firmware, resulting in a resource leak.

Fix this by calling release_firmware() before returning when
request_firmware() succeeded but the firmware content is invalid.
Published: 2026-05-05
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises within the Linux kernel Bluetooth stack, specifically the hci_ll module's firmware download routine. When a firmware fetch succeeds but the firmware payload is empty or invalid, the routine exits without releasing the firmware resource, creating a memory/resource leak. This weakness (CWE‑772) can cause gradual exhaustion of kernel memory, while the memory leak represented by CWE‑401 contributes to the overall resource depletion, potentially leading to system instability or a denial‑of‑service condition.

Affected Systems

The flaw affects any Linux kernel that implements the hci_ll component of the Bluetooth subsystem. All distributions that ship the stock kernel without the reported fix are potentially vulnerable. No specific kernel release series or versions are listed in the advisory, so any kernel lacking the recent patch qualifies.

Risk and Exploitability

The CVSS score of 5.5 and the EPSS score of <1% indicate a moderate risk of exploitation. The flaw is not included in the CISA KEV catalog. An attacker would need to trigger the firmware load path with an invalid firmware blob. Inferred from the EPSS score, the overall likelihood of exploitation appears low. The primary impact is denial‑of‑service through resource exhaustion; the risk depends on an adversary’s ability to invoke the firmware loading routine on the vulnerable host.

Generated by OpenCVE AI on May 29, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel that incorporates the hci_ll firmware leak fix (patches included in recent stable releases).
  • If an immediate kernel update is not possible, consider disabling Bluetooth firmware loading or limiting the use of untrusted Bluetooth devices.
  • Monitor kernel logs for repeated firmware load failures or memory allocation warnings that might indicate the leak; apply a patch as soon as one becomes available.

Generated by OpenCVE AI on May 29, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Fri, 29 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Wed, 06 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-791

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 05 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-791

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_ll: Fix firmware leak on error path Smatch reports: drivers/bluetooth/hci_ll.c:587 download_firmware() warn: 'fw' from request_firmware() not released on lines: 544. In download_firmware(), if request_firmware() succeeds but the returned firmware content is invalid (no data or zero size), the function returns without releasing the firmware, resulting in a resource leak. Fix this by calling release_firmware() before returning when request_firmware() succeeded but the firmware content is invalid.
Title Bluetooth: hci_ll: Fix firmware leak on error path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:07.130Z

Reserved: 2026-05-01T14:12:55.982Z

Link: CVE-2026-43069

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T16:16:16.197

Modified: 2026-05-29T17:53:53.400

Link: CVE-2026-43069

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-43069 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:00:05Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-772

    Missing Release of Resource after Effective Lifetime