{"api_version":"1","generated_at":"2026-05-13T02:10:57+00:00","cve":"CVE-2026-43059","urls":{"html":"https://cve.report/CVE-2026-43059","api":"https://cve.report/api/cve/CVE-2026-43059.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43059","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43059"},"summary":{"title":"Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix list corruption and UAF in command complete handlers\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") introduced\nmgmt_pending_valid(), which not only validates the pending command but\nalso unlinks it from the pending list if it is valid. This change in\nsemantics requires updates to several completion handlers to avoid list\ncorruption and memory safety issues.\n\nThis patch addresses two left-over issues from the aforementioned rework:\n\n1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()\nis replaced with mgmt_pending_free() in the success path. Since\nmgmt_pending_valid() already unlinks the command at the beginning of\nthe function, calling mgmt_pending_remove() leads to a double list_del()\nand subsequent list corruption/kernel panic.\n\n2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error\npath is removed. Since the current command is already unlinked by\nmgmt_pending_valid(), this foreach loop would incorrectly target other\npending mesh commands, potentially freeing them while they are still being\nprocessed concurrently (leading to UAFs). The redundant mgmt_cmd_status()\nis also simplified to use cmd->opcode directly.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-05 16:16:14","updated_at":"2026-05-06 13:08:07"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77","name":"https://git.kernel.org/stable/c/b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/695b45b2262fcb5e71bed1175aad59c72f92aa78","name":"https://git.kernel.org/stable/c/695b45b2262fcb5e71bed1175aad59c72f92aa78","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/02023ff760cc104a5d86a82ef5b8dd89098ad78d","name":"https://git.kernel.org/stable/c/02023ff760cc104a5d86a82ef5b8dd89098ad78d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/17f89341cb4281d1da0e2fb0de5406ab7c4e25ef","name":"https://git.kernel.org/stable/c/17f89341cb4281d1da0e2fb0de5406ab7c4e25ef","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43059","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43059","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d71b98f253b079cbadc83266383f26fe7e9e103b 695b45b2262fcb5e71bed1175aad59c72f92aa78 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 302a1f674c00dd5581ab8e493ef44767c5101aab b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 302a1f674c00dd5581ab8e493ef44767c5101aab 02023ff760cc104a5d86a82ef5b8dd89098ad78d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 302a1f674c00dd5581ab8e493ef44767c5101aab 17f89341cb4281d1da0e2fb0de5406ab7c4e25ef git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 87a1f16f07c6c43771754075e08f45b41d237421 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.17","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.17 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.78 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.20 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.10 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/bluetooth/mgmt.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"695b45b2262fcb5e71bed1175aad59c72f92aa78","status":"affected","version":"d71b98f253b079cbadc83266383f26fe7e9e103b","versionType":"git"},{"lessThan":"b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77","status":"affected","version":"302a1f674c00dd5581ab8e493ef44767c5101aab","versionType":"git"},{"lessThan":"02023ff760cc104a5d86a82ef5b8dd89098ad78d","status":"affected","version":"302a1f674c00dd5581ab8e493ef44767c5101aab","versionType":"git"},{"lessThan":"17f89341cb4281d1da0e2fb0de5406ab7c4e25ef","status":"affected","version":"302a1f674c00dd5581ab8e493ef44767c5101aab","versionType":"git"},{"status":"affected","version":"87a1f16f07c6c43771754075e08f45b41d237421","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/bluetooth/mgmt.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.17"},{"lessThan":"6.17","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.78","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.20","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.78","versionStartIncluding":"6.12.59","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.20","versionStartIncluding":"6.17","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.10","versionStartIncluding":"6.17","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.17","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16.10","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix list corruption and UAF in command complete handlers\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") introduced\nmgmt_pending_valid(), which not only validates the pending command but\nalso unlinks it from the pending list if it is valid. This change in\nsemantics requires updates to several completion handlers to avoid list\ncorruption and memory safety issues.\n\nThis patch addresses two left-over issues from the aforementioned rework:\n\n1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()\nis replaced with mgmt_pending_free() in the success path. Since\nmgmt_pending_valid() already unlinks the command at the beginning of\nthe function, calling mgmt_pending_remove() leads to a double list_del()\nand subsequent list corruption/kernel panic.\n\n2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error\npath is removed. Since the current command is already unlinked by\nmgmt_pending_valid(), this foreach loop would incorrectly target other\npending mesh commands, potentially freeing them while they are still being\nprocessed concurrently (leading to UAFs). The redundant mgmt_cmd_status()\nis also simplified to use cmd->opcode directly."}],"providerMetadata":{"dateUpdated":"2026-05-05T15:17:25.727Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/695b45b2262fcb5e71bed1175aad59c72f92aa78"},{"url":"https://git.kernel.org/stable/c/b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77"},{"url":"https://git.kernel.org/stable/c/02023ff760cc104a5d86a82ef5b8dd89098ad78d"},{"url":"https://git.kernel.org/stable/c/17f89341cb4281d1da0e2fb0de5406ab7c4e25ef"}],"title":"Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43059","datePublished":"2026-05-05T15:17:25.727Z","dateReserved":"2026-05-01T14:12:55.981Z","dateUpdated":"2026-05-05T15:17:25.727Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-05 16:16:14","lastModifiedDate":"2026-05-06 13:08:07","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43059","Ordinal":"1","Title":"Bluetooth: MGMT: Fix list corruption and UAF in command complete","CVE":"CVE-2026-43059","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43059","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix list corruption and UAF in command complete handlers\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") introduced\nmgmt_pending_valid(), which not only validates the pending command but\nalso unlinks it from the pending list if it is valid. This change in\nsemantics requires updates to several completion handlers to avoid list\ncorruption and memory safety issues.\n\nThis patch addresses two left-over issues from the aforementioned rework:\n\n1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()\nis replaced with mgmt_pending_free() in the success path. Since\nmgmt_pending_valid() already unlinks the command at the beginning of\nthe function, calling mgmt_pending_remove() leads to a double list_del()\nand subsequent list corruption/kernel panic.\n\n2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error\npath is removed. Since the current command is already unlinked by\nmgmt_pending_valid(), this foreach loop would incorrectly target other\npending mesh commands, potentially freeing them while they are still being\nprocessed concurrently (leading to UAFs). The redundant mgmt_cmd_status()\nis also simplified to use cmd->opcode directly.","Type":"Description","Title":"Bluetooth: MGMT: Fix list corruption and UAF in command complete"}]}}}