HIGH
bluetooth MGMT UAF
CVE-2026-43059
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced mgmt_pending_valid(), which not only validates the pending command but also unlinks it from the pending list if it is valid. This change in semantics requires updates to several completion handlers to avoid list corruption and memory safety issues. This patch addresses two left-over issues from the aforementioned rework: 1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove() is replaced with mgmt_pending_free() in the success path. Since mgmt_pending_valid() already unlinks the command at the beginning of the function, calling mgmt_pending_remove() leads to a double list_del() and subsequent list corruption/kernel panic. 2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error path is removed. Since the current command is already unlinked by mgmt_pending_valid(), this foreach loop would incorrectly target other pending mesh commands, potentially freeing them while they are still being processed concurrently (leading to UAFs). The redundant mgmt_cmd_status() is also simplified to use cmd->opcode directly.
02KernelScan AI Analysis
Risk summary
A use-after-free and list-corruption vulnerability in Bluetooth MGMT command completion handlers enables kernel memory corruption, information disclosure, and system crashes. The bug is reachable when Bluetooth is enabled and can be triggered by an attacker with CAP_NET_ADMIN privileges (obtainable via unprivileged user namespaces by default). Successful exploitation can lead to kernel panic (availability impact) and potentially arbitrary memory corruption or information leak via the UAF primitive.
Vulnerability analysis
The vulnerability stems from incomplete updates to Bluetooth MGMT command completion handlers after mgmt_pending_valid() semantics changed to automatically unlink pending commands. In mgmt_add_adv_patterns_monitor_complete(), calling mgmt_pending_remove() after the command was already unlinked by mgmt_pending_valid() causes a deterministic double list_del(), resulting in list corruption and kernel panic. In set_mesh_complete(), the error path incorrectly uses mgmt_pending_foreach() to iterate over other pending mesh commands; because the current command was already unlinked, this loop frees concurrently active commands while they are still being processed, leading to use-after-free. The fix replaces mgmt_pending_remove() with mgmt_pending_free() and removes the problematic foreach loop. Because the MGMT interface is part of the Bluetooth subsystem, the attack surface is Adjacent (physical proximity required). On default kernels, unprivileged users can acquire CAP_NET_ADMIN through user namespaces, lowering the privilege barrier.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.78 | 695b45b2262f |
| 6.17 | 6.17 | 02023ff760cc |
| 6.18 | 6.18.20 | 17f89341cb42 |
| 6.19 | 6.19.10 | — |
| 6.7 | 6.7 | b5c5e96f3b0a |
| mainline | 7.0 | — |