{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43059","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.981Z","datePublished":"2026-05-05T15:17:25.727Z","dateUpdated":"2026-05-11T22:16:55.130Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:16:55.130Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix list corruption and UAF in command complete handlers\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") introduced\nmgmt_pending_valid(), which not only validates the pending command but\nalso unlinks it from the pending list if it is valid. This change in\nsemantics requires updates to several completion handlers to avoid list\ncorruption and memory safety issues.\n\nThis patch addresses two left-over issues from the aforementioned rework:\n\n1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()\nis replaced with mgmt_pending_free() in the success path. Since\nmgmt_pending_valid() already unlinks the command at the beginning of\nthe function, calling mgmt_pending_remove() leads to a double list_del()\nand subsequent list corruption/kernel panic.\n\n2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error\npath is removed. Since the current command is already unlinked by\nmgmt_pending_valid(), this foreach loop would incorrectly target other\npending mesh commands, potentially freeing them while they are still being\nprocessed concurrently (leading to UAFs). The redundant mgmt_cmd_status()\nis also simplified to use cmd->opcode directly."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/mgmt.c"],"versions":[{"version":"d71b98f253b079cbadc83266383f26fe7e9e103b","lessThan":"695b45b2262fcb5e71bed1175aad59c72f92aa78","status":"affected","versionType":"git"},{"version":"302a1f674c00dd5581ab8e493ef44767c5101aab","lessThan":"b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77","status":"affected","versionType":"git"},{"version":"302a1f674c00dd5581ab8e493ef44767c5101aab","lessThan":"02023ff760cc104a5d86a82ef5b8dd89098ad78d","status":"affected","versionType":"git"},{"version":"302a1f674c00dd5581ab8e493ef44767c5101aab","lessThan":"17f89341cb4281d1da0e2fb0de5406ab7c4e25ef","status":"affected","versionType":"git"},{"version":"87a1f16f07c6c43771754075e08f45b41d237421","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/mgmt.c"],"versions":[{"version":"6.17","status":"affected"},{"version":"0","lessThan":"6.17","status":"unaffected","versionType":"semver"},{"version":"6.12.78","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.20","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.10","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.59","versionEndExcluding":"6.12.78"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17","versionEndExcluding":"6.18.20"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17","versionEndExcluding":"6.19.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17","versionEndExcluding":"7.0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/695b45b2262fcb5e71bed1175aad59c72f92aa78"},{"url":"https://git.kernel.org/stable/c/b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77"},{"url":"https://git.kernel.org/stable/c/02023ff760cc104a5d86a82ef5b8dd89098ad78d"},{"url":"https://git.kernel.org/stable/c/17f89341cb4281d1da0e2fb0de5406ab7c4e25ef"}],"title":"Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers","x_generator":{"engine":"bippy-1.2.0"}}}}