CVE-2026-43022

The vulnerability exists in the Linux kernel's Bluetooth subsystem, specifically in the hci_cmd_sync_queue_once() function within hci_sync. The function was not reliably indicating whether a command queue item already existed, potentially leading to resource leaks if callers were unaware of duplicate entries. The patch changes the function to return -EEXIST when the item is already present, allowing callers to avoid duplicating resources [1][2].

To exploit this issue, an attacker would need to trigger a scenario where a Bluetooth command is submitted multiple times, causing the kernel to allocate resources (e.g., memory) that are not properly freed. Since this is a logic flaw in the queue management, a local user with the ability to interact with the Bluetooth stack (e.g., via certain operations) could potentially cause a denial of service by repeatedly sending commands, leading to resource exhaustion.

The impact is primarily a denial-of-service condition where repeated duplicate command queues can exhaust kernel memory, resulting in system instability or crashes. There is no indication of privilege escalation or information disclosure. The patch ensures that hci_cmd_sync_queue_once() returns -EEXIST when a duplicate is found, and all callsites are updated to handle this return value appropriately, thus preventing the leak [1][2].

Mitigation is available through the kernel update that includes this commit. Users should apply the patch from the stable kernel tree to resolve the issue. There is no indication that this vulnerability is under active exploit or listed in KEV.