Skip to main content

Linux Kernel CVE-2026-43017

| EUVDEUVD-2026-26616 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 08, 2026 - 14:22 vuln.today
CVSS changed
May 08, 2026 - 14:22 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26616
CVE Published
May 01, 2026 - 14:15 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: validate mesh send advertising payload length

mesh_send() currently bounds MGMT_OP_MESH_SEND by total command length, but it never verifies that the bytes supplied for the flexible adv_data[] array actually match the embedded adv_data_len field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a truncated command can still pass the existing 20..50 byte range check and later drive the async mesh send path past the end of the queued command buffer.

Keep rejecting zero-length and oversized advertising payloads, but validate adv_data_len explicitly and require the command length to exactly match the flexible array size before queueing the request.

AnalysisAI

Linux kernel Bluetooth MGMT subsystem fails to validate the advertised data length field in mesh send operations, allowing local authenticated attackers to trigger denial of service by reading beyond allocated buffer boundaries. The vulnerability affects the mesh_send() function which accepts a truncated MGMT_OP_MESH_SEND command that passes length checks but contains mismatched adv_data_len and actual payload, leading to out-of-bounds access during async mesh transmission. Patch versions include 6.6.134, 6.12.81, 6.1.168, 6.18.22, and 7.0.

Technical ContextAI

The Linux kernel Bluetooth Management (MGMT) interface processes mesh networking commands through the mesh_send() function. The vulnerability exists in the MGMT_OP_MESH_SEND command handler, which defines a flexible array structure with a fixed header (MGMT_MESH_SEND_SIZE) followed by variable-length advertising data (adv_data[]). The root cause is insufficient validation: the function checks that the total command length falls within 20-50 bytes but never verifies that the adv_data_len field value matches the actual bytes provided in the command buffer. When a truncated command is queued, the async mesh transmission path later reads past the allocated buffer using the unvalidated adv_data_len value. This is a classic buffer over-read condition in flexible array handling, where the embedded length field (adv_data_len) disagrees with the actual received data size.

RemediationAI

Vendor-released patches are available in stable kernel releases. Update to Linux kernel 6.6.134 or later, Linux 6.12.81 or later, Linux 6.1.168 or later, Linux 6.18.22 or later, or Linux 7.0 and later. The upstream fix can be found at the following commits: 24fa32369cf15d8fc918bdfe94097b12e6acada0, 244b639e6a3a8e26241e201004a3a9f764476631, 0b706fb2294aff3adfd54653bda1b5e356ad4566, edb5898cfa91afe7e8f83eda18d93034c953d632, and 562ed1954f0c1bff3422b7b752bd3dacf185edbf (available via git.kernel.org). For systems unable to patch immediately, disable Bluetooth MGMT mesh functionality if not in use by removing bluetooth kernel modules or via module parameter restrictions (verify with your kernel build configuration). This carries the trade-off of losing mesh networking capability but eliminates the attack surface.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43017 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy