Skip to main content

Linux Kernel CVE-2026-43018

| EUVDEUVD-2026-26617 HIGH
Use After Free (CWE-416)
2026-05-01 Linux
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:34 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
8.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26617
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt

hci_conn lookup and field access must be covered by hdev lock in hci_le_remote_conn_param_req_evt, otherwise it's possible it is freed concurrently.

Extend the hci_dev_lock critical section to cover all conn usage.

AnalysisAI

Use-after-free in Linux Kernel Bluetooth stack allows adjacent network attackers to execute arbitrary code, escalate privileges, or cause denial of service without authentication. The vulnerability exists in hci_le_remote_conn_param_req_evt where hci_conn lookup and field access occurs outside the hdev lock protection, enabling concurrent memory corruption. Patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Technical ContextAI

This is a race condition vulnerability in the Linux Kernel Bluetooth Host Controller Interface (HCI) event handling subsystem. The affected function hci_le_remote_conn_param_req_evt handles Bluetooth Low Energy (BLE) remote connection parameter requests. The vulnerability stems from improper locking around hci_conn structure access - specifically, the code performs hci_conn lookup and subsequent field access operations outside the critical section protected by hci_dev_lock. This creates a time-of-check-to-time-of-use (TOCTOU) window where another thread can free the hci_conn structure between lookup and use, resulting in a use-after-free condition. The affected code path was introduced in commit 95118dd4edfec950898a00180c6f998df0a6406d and exists in kernel versions from 5.17 onwards. The fix extends the hci_dev_lock critical section to encompass all hci_conn operations, preventing concurrent access during the event handler's execution.

RemediationAI

Upgrade to patched kernel versions: 6.1.168+ for longterm branch users, 6.6.134+ for 6.6.x series, 6.12.81+ for 6.12.x series, 6.18.22+ for 6.18.x series, 6.19.12+ for 6.19.x series, or 7.0+ for mainline. Distribution-specific patches are available through standard update mechanisms (apt, yum, dnf, zypper). Kernel update advisories with CVE references: https://git.kernel.org/stable/c/1d0bdbfe3e91c11f0a704c52443a9446a10d699c (mainline fix), https://git.kernel.org/stable/c/b255531b27da336571411248c2a72a350662bd09 (6.19.x), https://git.kernel.org/stable/c/ea3cd36d7382d5f8309df04c275d20df139ed42c (6.18.x), https://git.kernel.org/stable/c/7cadb03be37e761130edb153544fe0770a842b19 (6.12.x), https://git.kernel.org/stable/c/5fb69e1eeea9d6cba80517e9f058b56b34bc3a81 (6.6.x), https://git.kernel.org/stable/c/59eecf0ffde15670e6a5e10c47be67f73d843b20 (6.1.x). Compensating control if patching is delayed: disable Bluetooth subsystem entirely via kernel parameter 'bluetooth.disable_ble=1' or blacklist bluetooth kernel modules (btusb, bluetooth), trading all Bluetooth functionality for complete mitigation. Alternative: restrict Bluetooth to trusted devices only via BlueZ configuration, reducing exposure to untrusted adjacent attackers, though this does not eliminate the race condition if trusted devices are compromised. Kernel restart required after patching.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43018 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy