CVE-2026-43017
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: validate mesh send advertising payload length
mesh_send() currently bounds MGMT_OP_MESH_SEND by total command length, but it never verifies that the bytes supplied for the flexible adv_data[] array actually match the embedded adv_data_len field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a truncated command can still pass the existing 20..50 byte range check and later drive the async mesh send path past the end of the queued command buffer.
Keep rejecting zero-length and oversized advertising payloads, but validate adv_data_len explicitly and require the command length to exactly match the flexible array size before queueing the request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, Bluetooth MGMT mesh send command lacks validation of adv_data_len, allowing out-of-bounds read via truncated command.
Vulnerability
Details
The Linux kernel's Bluetooth subsystem contains an out-of-bounds read vulnerability in the mesh_send() handler for MGMT_OP_MESH_SEND. The function validates the overall command length against MGMT_MESH_SEND_SIZE but fails to verify that the embedded adv_data_len field matches the actual size of the flexible array adv_data[]. This allows a crafted command with a mismatched adv_data_len to pass the length check [1].
Exploitation
An attacker with local access and the CAP_NET_ADMIN capability (or root privileges) can send a malicious MGMT_OP_MESH_SEND command to the kernel. By providing a truncated command where adv_data_len exceeds the remaining buffer, the kernel will later attempt to read beyond the allocated memory when processing the mesh advertising payload. No user interaction is required beyond sending the crafted command.
Impact
Successful exploitation leads to an out-of-bounds read from kernel heap memory, potentially leaking sensitive information. In some configurations, this may also cause a kernel panic (denial of service). The vulnerability is rated Medium (CVSS 5.5) due to the requirement for local access and elevated privileges.
Mitigation
The fix has been applied to the Linux kernel stable tree [1]. Users should update to a kernel version containing the commit that adds explicit validation of adv_data_len and ensures the command length exactly matches the flexible array size. No workaround is available.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.1,<6.1.168
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/0b706fb2294aff3adfd54653bda1b5e356ad4566nvdPatch
- git.kernel.org/stable/c/244b639e6a3a8e26241e201004a3a9f764476631nvdPatch
- git.kernel.org/stable/c/24fa32369cf15d8fc918bdfe94097b12e6acada0nvdPatch
- git.kernel.org/stable/c/562ed1954f0c1bff3422b7b752bd3dacf185edbfnvdPatch
- git.kernel.org/stable/c/bda93eec78cdbfe5cda00785cefebd443e56b88bnvdPatch
- git.kernel.org/stable/c/edb5898cfa91afe7e8f83eda18d93034c953d632nvdPatch
News mentions
0No linked articles in our index yet.