Bluetooth: MGMT: validate mesh send advertising payload length
Summary
| CVE | CVE-2026-43017 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-01 15:16:45 UTC |
| Updated | 2026-05-01 15:24:14 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate mesh send advertising payload length mesh_send() currently bounds MGMT_OP_MESH_SEND by total command length, but it never verifies that the bytes supplied for the flexible adv_data[] array actually match the embedded adv_data_len field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a truncated command can still pass the existing 20..50 byte range check and later drive the async mesh send path past the end of the queued command buffer. Keep rejecting zero-length and oversized advertising payloads, but validate adv_data_len explicitly and require the command length to exactly match the flexible array size before queueing the request. |
Risk And Classification
EPSS: 0.000240000 probability, percentile 0.068060000 (date 2026-05-05)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected b338d91703fae6f6afd67f3f75caa3b8f36ddef3 24fa32369cf15d8fc918bdfe94097b12e6acada0 git | Not specified |
| CNA | Linux | Linux | affected b338d91703fae6f6afd67f3f75caa3b8f36ddef3 244b639e6a3a8e26241e201004a3a9f764476631 git | Not specified |
| CNA | Linux | Linux | affected b338d91703fae6f6afd67f3f75caa3b8f36ddef3 0b706fb2294aff3adfd54653bda1b5e356ad4566 git | Not specified |
| CNA | Linux | Linux | affected b338d91703fae6f6afd67f3f75caa3b8f36ddef3 edb5898cfa91afe7e8f83eda18d93034c953d632 git | Not specified |
| CNA | Linux | Linux | affected b338d91703fae6f6afd67f3f75caa3b8f36ddef3 562ed1954f0c1bff3422b7b752bd3dacf185edbf git | Not specified |
| CNA | Linux | Linux | affected b338d91703fae6f6afd67f3f75caa3b8f36ddef3 bda93eec78cdbfe5cda00785cefebd443e56b88b git | Not specified |
| CNA | Linux | Linux | affected 6.1 | Not specified |
| CNA | Linux | Linux | unaffected 6.1 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.168 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.134 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.81 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.22 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.12 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/0b706fb2294aff3adfd54653bda1b5e356ad4566 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/562ed1954f0c1bff3422b7b752bd3dacf185edbf | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/244b639e6a3a8e26241e201004a3a9f764476631 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/bda93eec78cdbfe5cda00785cefebd443e56b88b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/24fa32369cf15d8fc918bdfe94097b12e6acada0 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/edb5898cfa91afe7e8f83eda18d93034c953d632 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.