CVE-2026-43059 Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers Commit 302a1f674c00 "Bluetooth: MGMT: Fix possible UAFs" introduced mgmtpendingvalid, which not only validates the pending command but also unlinks it from...

CVE-2026-23151

A flaw was found in the Linux kernel's Bluetooth Management MGMT component. This vulnerability, a memory leak, allows a local user with elevated privileges to cause the kernel to consume an increasing amount of memory. The issue stems from mgmtpendingcmd structures not being properly released aft...

EUVD-2026-5889

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix memory leak in setsspcomplete Fix memory leak in setsspcomplete where mgmtpendingcmd structures are not freed after being removed from the pending list. Commit 302a1f674c00 "Bluetooth: MGMT: Fix possible UAFs...

CVE-2026-23151

CVE-2026-23151 in the Linux kernel Bluetooth MGMT path fixes a memory leak in set_ssp_complete due to missing mgmt_pending_free(cmd) calls (and similarly in set_advertising_complete).Root cause: mgmt_pending_cmd structures and their data were not freed after SSP commands completed, after a prior ...

CVE-2026-23151 Bluetooth: MGMT: Fix memory leak in set_ssp_complete

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix memory leak in setsspcomplete Fix memory leak in setsspcomplete where mgmtpendingcmd structures are not freed after being removed from the pending list. Commit 302a1f674c00 "Bluetooth: MGMT: Fix possible UAFs...

kernel: Bluetooth: hci_sock: Prevent race in socket write iter and sock bind

A use-after-free vulnerability was found in the Linux kernel's Bluetooth HCI socket implementation. A race condition between socket bind and write operations allows mgmtpending to free a command structure while writeiter is still attempting to send it, resulting in use-after-free when the freed...

kernel: Bluetooth: MGMT: Fix possible UAFs

A flaw was found in the Linux kernel’s Bluetooth management subsystem net/bluetooth/mgmt.c. The mgmtpending structure may be freed while still being processed, or remain on the pending command list, which allows a use-after-free or double-free scenario. An attacker with local access to the system...

PT-2026-8146

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A memory leak exists in the Bluetooth MGMT subsystem, specifically within the set ssp complete function. The issue arises from missing calls to mgmt pending free in both success and erro...

DEBIAN-CVE-2025-40213

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in setmeshsync and setmeshcomplete There is a BUG: KASAN: stack-out-of-bounds in setmeshsync due to memcpy from badly declared on-stack flexible array. Another crash is in setmeshcomplete due to double...

CVE-2025-39981

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible UAFs This attemps to fix possible UAFs caused by struct mgmtpending being freed while still being processed like in the following trace, in order to fix mgmtpendingvalid is introduce and use to check...

CVE-2025-39981

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible UAFs This attemps to fix possible UAFs caused by struct mgmtpending being freed while still being processed like in the following trace, in order to fix mgmtpendingvalid is introduce and use to check...

AZL-68501 CVE-2025-39981 affecting package kernel 6.6.126.1-1

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible UAFs This attemps to fix possible UAFs caused by struct mgmtpending being freed while still being processed like in the following trace, in order to fix mgmtpendingvalid is introduce and use to check...

CVE-2025-39981 Bluetooth: MGMT: Fix possible UAFs

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible UAFs This attemps to fix possible UAFs caused by struct mgmtpending being freed while still being processed like in the following trace, in order to fix mgmtpendingvalid is introduce and use to check...

CVE-2025-39981

CVE-2025-39981 is described in the initial document as a Linux kernel Bluetooth MGMT issue: a possible use-after-free (UAF) involving mgmt_pending being freed while still processed. The fix adds a mgmt_pending_valid check to ensure the item hasn’t been removed from the pending list, and tightens ...

AZL-70630 CVE-2025-38117 affecting package kernel 5.15.200.1-1

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Protect mgmtpending list with its own lock This uses a mutex to protect from concurrent access of mgmtpending list which can cause crashes like: ==================================================================...

UBUNTU-CVE-2025-38117

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Protect mgmtpending list with its own lock This uses a mutex to protect from concurrent access of mgmtpending list which can cause crashes like: ==================================================================...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from the Bluetooth MGMT unprotected mgmtpending list, which could lead to null pointer dereferences...