Skip to main content

Linux Kernel EUVDEUVD-2026-27371

| CVE-2026-43069 MEDIUM
Memory Leak (CWE-401)
2026-05-05 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 29, 2026 - 20:16 vuln.today
CVSS changed
May 29, 2026 - 18:07 NVD
5.5 (MEDIUM)
Patch available
May 05, 2026 - 17:31 EUVD
CVE Published
May 05, 2026 - 15:23 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_ll: Fix firmware leak on error path

Smatch reports:

drivers/bluetooth/hci_ll.c:587 download_firmware() warn: 'fw' from request_firmware() not released on lines: 544.

In download_firmware(), if request_firmware() succeeds but the returned firmware content is invalid (no data or zero size), the function returns without releasing the firmware, resulting in a resource leak.

Fix this by calling release_firmware() before returning when request_firmware() succeeded but the firmware content is invalid.

AnalysisAI

Resource leak in the Linux kernel's Bluetooth hci_ll driver allows a local authenticated user to cause kernel memory exhaustion by repeatedly triggering an error path in download_firmware() where firmware objects allocated by request_firmware() are never released when their content is invalid. Systems equipped with Texas Instruments Bluetooth hardware (using the hci_ll driver) are affected across numerous stable kernel branches dating back to Linux 4.12. No public exploit exists and EPSS is 0.02% (7th percentile), classifying this as a low-urgency maintenance fix; patches are available across all actively maintained stable branches.

Technical ContextAI

The affected code resides in drivers/bluetooth/hci_ll.c, which implements the HCI Low Latency (LL) protocol for Texas Instruments Bluetooth chipsets. The download_firmware() function invokes request_firmware() to allocate and populate a firmware object from the filesystem; CWE-401 (Missing Release of Memory after Effective Lifetime) applies because when request_firmware() succeeds but the returned firmware object carries null data or a zero size, the function returns an error code without first calling release_firmware(), leaking the kernel firmware descriptor. This class of defect is a canonical resource-lifetime management error surfaced by static analysis tooling - in this case, Smatch flagged line 544 in hci_ll.c. The CPE cpe:2.3:a:linux:linux:* identifies the upstream Linux kernel as the affected codebase, with the Bluetooth subsystem's firmware loading path as the specific attack surface. The bug was introduced at commit 371805522f870986144fcd88727a47858e364a2c (Linux 4.12) and remained unresolved across all subsequent stable branches until patched.

RemediationAI

Vendor-released patches are confirmed available across all actively maintained stable kernel branches. Administrators should upgrade to Linux 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, or 7.0 depending on the deployed branch. Per-branch fix commits are accessible at the upstream stable tree: https://git.kernel.org/stable/c/95e8601af227b2b4390eecf8db6abdb9f6a91f17 (and related commits at e6d95488c8c964d1df0d3e1db44c958706311e86, b2dfbf1b5ff192cefd49574b951a4af9ddd32213, 28904375d54b436a757641fb0331537778c0de5a, and others listed in the CVE references). Where immediate patching is not possible, administrators on systems that do not use TI hci_ll Bluetooth hardware can blacklist the hci_ll module by adding 'blacklist hci_ll' to /etc/modprobe.d/blacklist.conf and running 'modprobe -r hci_ll'; this has no functional impact on non-TI Bluetooth hardware but will disable TI LL-protocol Bluetooth on affected devices. On systems that do require TI hci_ll, restricting local unprivileged user access to Bluetooth device nodes (/dev/hci*) reduces the attack surface until patching is possible.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy