{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43017","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.975Z","datePublished":"2026-05-01T14:15:21.561Z","dateUpdated":"2026-05-11T22:16:05.863Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:16:05.863Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate mesh send advertising payload length\n\nmesh_send() currently bounds MGMT_OP_MESH_SEND by total command\nlength, but it never verifies that the bytes supplied for the\nflexible adv_data[] array actually match the embedded adv_data_len\nfield. MGMT_MESH_SEND_SIZE only covers the fixed header, so a\ntruncated command can still pass the existing 20..50 byte range\ncheck and later drive the async mesh send path past the end of the\nqueued command buffer.\n\nKeep rejecting zero-length and oversized advertising payloads, but\nvalidate adv_data_len explicitly and require the command length to\nexactly match the flexible array size before queueing the request."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/mgmt.c"],"versions":[{"version":"b338d91703fae6f6afd67f3f75caa3b8f36ddef3","lessThan":"24fa32369cf15d8fc918bdfe94097b12e6acada0","status":"affected","versionType":"git"},{"version":"b338d91703fae6f6afd67f3f75caa3b8f36ddef3","lessThan":"244b639e6a3a8e26241e201004a3a9f764476631","status":"affected","versionType":"git"},{"version":"b338d91703fae6f6afd67f3f75caa3b8f36ddef3","lessThan":"0b706fb2294aff3adfd54653bda1b5e356ad4566","status":"affected","versionType":"git"},{"version":"b338d91703fae6f6afd67f3f75caa3b8f36ddef3","lessThan":"edb5898cfa91afe7e8f83eda18d93034c953d632","status":"affected","versionType":"git"},{"version":"b338d91703fae6f6afd67f3f75caa3b8f36ddef3","lessThan":"562ed1954f0c1bff3422b7b752bd3dacf185edbf","status":"affected","versionType":"git"},{"version":"b338d91703fae6f6afd67f3f75caa3b8f36ddef3","lessThan":"bda93eec78cdbfe5cda00785cefebd443e56b88b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/mgmt.c"],"versions":[{"version":"6.1","status":"affected"},{"version":"0","lessThan":"6.1","status":"unaffected","versionType":"semver"},{"version":"6.1.168","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.134","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.81","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.22","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.12","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.1.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.6.134"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.12.81"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.18.22"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.19.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/24fa32369cf15d8fc918bdfe94097b12e6acada0"},{"url":"https://git.kernel.org/stable/c/244b639e6a3a8e26241e201004a3a9f764476631"},{"url":"https://git.kernel.org/stable/c/0b706fb2294aff3adfd54653bda1b5e356ad4566"},{"url":"https://git.kernel.org/stable/c/edb5898cfa91afe7e8f83eda18d93034c953d632"},{"url":"https://git.kernel.org/stable/c/562ed1954f0c1bff3422b7b752bd3dacf185edbf"},{"url":"https://git.kernel.org/stable/c/bda93eec78cdbfe5cda00785cefebd443e56b88b"}],"title":"Bluetooth: MGMT: validate mesh send advertising payload length","x_generator":{"engine":"bippy-1.2.0"}}}}