CVE-2026-43059
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers
Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced mgmt_pending_valid(), which not only validates the pending command but also unlinks it from the pending list if it is valid. This change in semantics requires updates to several completion handlers to avoid list corruption and memory safety issues.
This patch addresses two left-over issues from the aforementioned rework:
1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove() is replaced with mgmt_pending_free() in the success path. Since mgmt_pending_valid() already unlinks the command at the beginning of the function, calling mgmt_pending_remove() leads to a double list_del() and subsequent list corruption/kernel panic.
2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error path is removed. Since the current command is already unlinked by mgmt_pending_valid(), this foreach loop would incorrectly target other pending mesh commands, potentially freeing them while they are still being processed concurrently (leading to UAFs). The redundant mgmt_cmd_status() is also simplified to use cmd->opcode directly.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's Bluetooth MGMT subsystem, two completion handlers cause list corruption and use-after-free due to incorrect use of mgmt_pending command removal after a prior commit changed pending command semantics.
Vulnerability
Overview
CVE-2026-43059 is a memory safety vulnerability in the Linux kernel's Bluetooth MGMT subsystem. The root cause is a semantic mismatch introduced by commit 302a prior commit (302a1f674c00) that changed mgmt_pending_valid() to both validate and unlink a pending command from the list. Two completion handlers were not updated to match this new behavior, leading to list corruption and use-after-free (UAF) conditions [1][2].
Exploitation
Details
The vulnerability manifests in two specific code paths: 1. In mgmt_add_adv_patterns_monitor_complete(), the success path calls mgmt_pending_remove() after mgmt_pending_pending_valid() has already unlinked the command. This results in a double list deletion (list_del()), corrupting the kernel's the pending list and potentially causing a kernel panic [1][2]. 2. In set_mesh_complete(), the error path uses mgmt_pending_foreach() to iterate over pending mesh commands. Because the current command is already unlinked by mgmt_pending_valid(), this loop may incorrectly target other concurrently processed mesh commands, freeing them while they are still in use and leading to UAF [1][2].
Both issues require the ability to trigger the affected MGMT command sequences, which typically requires local access and the CAP_NET_ADMIN capability or root privileges.
Impact
An attacker with sufficient privileges could exploit these flaws to corrupt kernel memory, cause a denial of service (system crash), or potentially escalate privileges by manipulating freed memory objects. The UAF in the mesh path is particularly dangerous as it may allow an attacker to overwrite freed kernel structures.
Mitigation
The fixes are included in Linux kernel stable commits that replace the problematic calls with correct alternatives: mgmt_pending_free() instead of mgmt_pending_remove() in the advertising monitor path, and removal of the mgmt_pending_foreach() loop in the mesh path [1][2][3][4]. Users should apply the latest kernel updates from their distribution or the stable kernel tree. No workaround is available; patching is required.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.