CVE-2026-43059 Overview
CVE-2026-43059 is a Linux kernel vulnerability in the Bluetooth management (MGMT) subsystem. The flaw affects command complete handlers and produces list corruption alongside use-after-free (UAF) conditions. It originates from a prior fix, commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs"), which changed the semantics of mgmt_pending_valid() to unlink pending commands during validation. Two completion handlers were not updated to match the new behavior, leaving residual memory safety issues.
Critical Impact
A successful trigger leads to kernel list corruption or use-after-free in the Bluetooth MGMT subsystem, which can result in kernel panic or memory safety violations.
Affected Products
- Linux kernel (Bluetooth MGMT subsystem)
- Distributions shipping the kernel revision that contains commit 302a1f674c00
- Stable kernel branches referenced in the upstream commits 02023ff760cc, 17f89341cb42, 695b45b2262f, and b5c5e96f3b0a
Discovery Timeline
- 2026-05-05 - CVE-2026-43059 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43059
Vulnerability Analysis
The vulnerability resides in the Linux kernel Bluetooth MGMT command completion path. After commit 302a1f674c00, mgmt_pending_valid() validates a pending command and unlinks it from the pending list as part of validation. Two handlers continued to operate as if the command remained linked.
In mgmt_add_adv_patterns_monitor_complete(), the success path calls mgmt_pending_remove() on a command that mgmt_pending_valid() already unlinked. The duplicate list_del() corrupts the pending list and can panic the kernel.
In set_mesh_complete(), the error path uses mgmt_pending_foreach() to iterate pending commands. Because the current command is already unlinked, the loop targets unrelated mesh commands and may free them while other code paths still reference them. This produces a use-after-free [CWE-416].
Root Cause
The root cause is inconsistent ownership semantics introduced when mgmt_pending_valid() started unlinking commands. Callers retained legacy cleanup logic that assumed the command was still on the list, producing double-unlink and incorrect cross-command iteration.
Attack Vector
Triggering the flaw requires interaction with the Bluetooth MGMT interface, specifically issuing advertisement pattern monitor and mesh configuration commands that invoke the affected completion handlers. A local attacker with the ability to issue MGMT commands can induce list corruption or free in-use command structures, leading to denial of service or potential memory corruption primitives.
No public exploit code is available for CVE-2026-43059. Refer to the upstream kernel commits for technical details on the corrected handler logic.
Detection Methods for CVE-2026-43059
Indicators of Compromise
- Kernel panic messages referencing list_del corruption originating from the Bluetooth MGMT path
- KASAN: use-after-free reports implicating set_mesh_complete or mgmt_add_adv_patterns_monitor_complete
- Unexpected Bluetooth subsystem crashes following advertisement monitor or mesh configuration operations
Detection Strategies
- Compare running kernel versions against the patched commits 02023ff760cc, 17f89341cb42, 695b45b2262f, and b5c5e96f3b0a to identify unpatched hosts
- Enable CONFIG_DEBUG_LIST and KASAN in test environments to surface list corruption and UAF conditions early
- Monitor dmesg and crash dumps for repeating Bluetooth MGMT faults that correlate with userspace MGMT activity
Monitoring Recommendations
- Forward kernel logs to a centralized log platform and alert on Bluetooth subsystem oops or panic strings
- Track processes opening AF_BLUETOOTH HCI sockets to baseline normal MGMT command issuers
- Audit local user privileges that grant CAP_NET_ADMIN, which is required to send MGMT commands
How to Mitigate CVE-2026-43059
Immediate Actions Required
- Apply the upstream stable kernel updates that include commits 02023ff760cc, 17f89341cb42, 695b45b2262f, and b5c5e96f3b0a
- Reboot affected systems after patching to load the corrected Bluetooth MGMT code paths
- Inventory hosts with active Bluetooth stacks and prioritize servers and workstations exposing MGMT functionality
Patch Information
The fix replaces mgmt_pending_remove() with mgmt_pending_free() in the success path of mgmt_add_adv_patterns_monitor_complete(), eliminating the double list_del(). In set_mesh_complete(), the patch removes the mgmt_pending_foreach() call from the error path and simplifies the redundant mgmt_cmd_status() to use cmd->opcode directly. See the upstream changes: Kernel commit 02023ff760cc, Kernel commit 17f89341cb42, Kernel commit 695b45b2262f, and Kernel commit b5c5e96f3b0a.
Workarounds
- Disable the Bluetooth kernel modules on systems that do not require Bluetooth functionality using rmmod bluetooth and blocklist entries
- Restrict CAP_NET_ADMIN so unprivileged users cannot issue MGMT commands
- Limit local access to systems exposing Bluetooth interfaces until the patched kernel is deployed
# Configuration example
# Blocklist Bluetooth modules where the stack is not required
echo 'install bluetooth /bin/true' | sudo tee /etc/modprobe.d/disable-bluetooth.conf
sudo systemctl disable --now bluetooth.service
sudo modprobe -r btusb bluetooth || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
