HIGH Published 2026-04-22

bluetooth MGMT Pending UAF

CVE-2026-31511

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete This fixes the condition checking so mgmt_pending_valid is executed whenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd) would kfree(cmd) without unlinking it from the list first, leaving a dangling pointer. Any subsequent list traversal (e.g., mgmt_pending_foreach during __mgmt_power_off, or another mgmt_pending_valid call) would dereference freed memory.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A use-after-free vulnerability in Bluetooth management code could allow a local attacker with Bluetooth privileges to cause system crashes or potentially execute arbitrary code. The bug occurs when advertisement pattern monitor operations fail, leaving freed memory structures still linked in active lists that can be accessed later.

Affectednet/bluetooth/mgmt.c

Vulnerability analysis

Root Cause: The original code had incorrect condition logic in mgmt_add_adv_patterns_monitor_complete(). When status was -ECANCELED, the function would return early without calling mgmt_pending_valid(), but for other error statuses, it would call mgmt_pending_free(cmd) which frees the command structure without first unlinking it from the pending list. This creates a dangling pointer that remains in the list.

Attack Surface: This vulnerability affects Bluetooth management operations and requires local access with appropriate privileges to interact with Bluetooth management interfaces. The bug is triggered during advertisement pattern monitor operations, which are typically privileged operations.

Fix Mechanism: The patch changes the condition from 'status == -ECANCELED && !mgmt_pending_valid(hdev, cmd)' to 'status == -ECANCELED || !mgmt_pending_valid(hdev, cmd)'. This ensures that mgmt_pending_valid() is called for all non-ECANCELED statuses, properly unlinking the command from the list before freeing it.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.80	`2074dfffad76`
6.17	6.17	`340666172cf7`
6.18	6.18.21	`bafec9325d4d`
6.19	6.19.11	`3a89c33deffb`
mainline	7.0	`5f5fa4cd35f7`