CVE-2026-43059 (GCVE-0-2026-43059)

Vulnerability from cvelistv5 – Published: 2026-05-05 15:17 – Updated: 2026-05-05 15:17
VLAI?
Title
Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers
Summary
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced mgmt_pending_valid(), which not only validates the pending command but also unlinks it from the pending list if it is valid. This change in semantics requires updates to several completion handlers to avoid list corruption and memory safety issues. This patch addresses two left-over issues from the aforementioned rework: 1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove() is replaced with mgmt_pending_free() in the success path. Since mgmt_pending_valid() already unlinks the command at the beginning of the function, calling mgmt_pending_remove() leads to a double list_del() and subsequent list corruption/kernel panic. 2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error path is removed. Since the current command is already unlinked by mgmt_pending_valid(), this foreach loop would incorrectly target other pending mesh commands, potentially freeing them while they are still being processed concurrently (leading to UAFs). The redundant mgmt_cmd_status() is also simplified to use cmd->opcode directly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: d71b98f253b079cbadc83266383f26fe7e9e103b , < 695b45b2262fcb5e71bed1175aad59c72f92aa78 (git)
Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77 (git)
Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < 02023ff760cc104a5d86a82ef5b8dd89098ad78d (git)
Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < 17f89341cb4281d1da0e2fb0de5406ab7c4e25ef (git)
Affected: 87a1f16f07c6c43771754075e08f45b41d237421 (git)
Create a notification for this product.
    Linux Linux Affected: 6.17
Unaffected: 0 , < 6.17 (semver)
Unaffected: 6.12.78 , ≤ 6.12.* (semver)
Unaffected: 6.18.20 , ≤ 6.18.* (semver)
Unaffected: 6.19.10 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "695b45b2262fcb5e71bed1175aad59c72f92aa78",
              "status": "affected",
              "version": "d71b98f253b079cbadc83266383f26fe7e9e103b",
              "versionType": "git"
            },
            {
              "lessThan": "b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77",
              "status": "affected",
              "version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
              "versionType": "git"
            },
            {
              "lessThan": "02023ff760cc104a5d86a82ef5b8dd89098ad78d",
              "status": "affected",
              "version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
              "versionType": "git"
            },
            {
              "lessThan": "17f89341cb4281d1da0e2fb0de5406ab7c4e25ef",
              "status": "affected",
              "version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "87a1f16f07c6c43771754075e08f45b41d237421",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "6.12.59",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.20",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.10",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.16.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix list corruption and UAF in command complete handlers\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") introduced\nmgmt_pending_valid(), which not only validates the pending command but\nalso unlinks it from the pending list if it is valid. This change in\nsemantics requires updates to several completion handlers to avoid list\ncorruption and memory safety issues.\n\nThis patch addresses two left-over issues from the aforementioned rework:\n\n1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()\nis replaced with mgmt_pending_free() in the success path. Since\nmgmt_pending_valid() already unlinks the command at the beginning of\nthe function, calling mgmt_pending_remove() leads to a double list_del()\nand subsequent list corruption/kernel panic.\n\n2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error\npath is removed. Since the current command is already unlinked by\nmgmt_pending_valid(), this foreach loop would incorrectly target other\npending mesh commands, potentially freeing them while they are still being\nprocessed concurrently (leading to UAFs). The redundant mgmt_cmd_status()\nis also simplified to use cmd-\u003eopcode directly."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-05T15:17:25.727Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/695b45b2262fcb5e71bed1175aad59c72f92aa78"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77"
        },
        {
          "url": "https://git.kernel.org/stable/c/02023ff760cc104a5d86a82ef5b8dd89098ad78d"
        },
        {
          "url": "https://git.kernel.org/stable/c/17f89341cb4281d1da0e2fb0de5406ab7c4e25ef"
        }
      ],
      "title": "Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43059",
    "datePublished": "2026-05-05T15:17:25.727Z",
    "dateReserved": "2026-05-01T14:12:55.981Z",
    "dateUpdated": "2026-05-05T15:17:25.727Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43059\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-05T16:16:14.927\",\"lastModified\":\"2026-05-05T16:16:14.927\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: MGMT: Fix list corruption and UAF in command complete handlers\\n\\nCommit 302a1f674c00 (\\\"Bluetooth: MGMT: Fix possible UAFs\\\") introduced\\nmgmt_pending_valid(), which not only validates the pending command but\\nalso unlinks it from the pending list if it is valid. This change in\\nsemantics requires updates to several completion handlers to avoid list\\ncorruption and memory safety issues.\\n\\nThis patch addresses two left-over issues from the aforementioned rework:\\n\\n1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()\\nis replaced with mgmt_pending_free() in the success path. Since\\nmgmt_pending_valid() already unlinks the command at the beginning of\\nthe function, calling mgmt_pending_remove() leads to a double list_del()\\nand subsequent list corruption/kernel panic.\\n\\n2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error\\npath is removed. Since the current command is already unlinked by\\nmgmt_pending_valid(), this foreach loop would incorrectly target other\\npending mesh commands, potentially freeing them while they are still being\\nprocessed concurrently (leading to UAFs). The redundant mgmt_cmd_status()\\nis also simplified to use cmd-\u003eopcode directly.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/02023ff760cc104a5d86a82ef5b8dd89098ad78d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/17f89341cb4281d1da0e2fb0de5406ab7c4e25ef\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/695b45b2262fcb5e71bed1175aad59c72f92aa78\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.