CVE-2026-23151
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix memory leak in set_ssp_complete
Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures are not freed after being removed from the pending list.
Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced mgmt_pending_foreach() calls with individual command handling but missed adding mgmt_pending_free() calls in both error and success paths of set_ssp_complete(). Other completion functions like set_le_complete() were fixed correctly in the same commit.
This causes a memory leak of the mgmt_pending_cmd structure and its associated parameter data for each SSP command that completes.
Add the missing mgmt_pending_free(cmd) calls in both code paths to fix the memory leak. Also fix the same issue in set_advertising_complete().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in the Linux kernel's Bluetooth MGMT subsystem occurs when mgmt_pending_cmd structures are not freed in set_ssp_complete() and set_advertising_complete().
Vulnerability
Overview
A memory leak vulnerability exists in the Linux kernel's Bluetooth MGMT subsystem. The issue arises in the set_ssp_complete() function, where mgmt_pending_cmd structures are removed from the pending list but not freed. This was introduced by commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs"), which replaced mgmt_pending_foreach() calls with individual command handling but omitted the necessary mgmt_pending_free() calls in both the error and success paths of set_ssp_complete() [1]. The same flaw also affects set_advertising_complete().
Exploitation and
Impact
An attacker with local access to the Bluetooth stack could trigger this memory leak by sending SSP (Secure Simple Pairing) or advertising commands that complete. No special privileges are required beyond the ability to interact with the Bluetooth subsystem. Over time, repeated exploitation could exhaust kernel memory, leading to denial of service (system instability or crash). The CVSS v3 score is 5.5 (Medium), reflecting the local nature and potential for resource exhaustion.
Mitigation
The fix adds the missing mgmt_pending_free(cmd) calls in both code paths of set_ssp_complete() and set_advertising_complete(). The patch has been applied to the Linux kernel stable tree [1]. Users should update to a kernel version containing this fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 6.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.