PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23151 Linux CVE debrief

CVE-2026-23151 is a Linux kernel Bluetooth MGMT bug where pending command objects were not freed after completion, creating a memory leak on each affected SSP or advertising command. The issue is listed as medium severity and primarily threatens availability through memory exhaustion.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-14
Original CVE updated
2026-05-17
Advisory published
2026-02-14
Advisory updated
2026-05-17

Who should care

Linux kernel maintainers, distribution security teams, and operators running affected kernels with Bluetooth enabled should care, especially where repeated Bluetooth management operations are possible.

Technical summary

The kernel Bluetooth MGMT code missed mgmt_pending_free(cmd) in both the error and success paths of set_ssp_complete(), and the same issue also existed in set_advertising_complete(). As described in the record, mgmt_pending_cmd structures and their associated parameter data were removed from the pending list but not freed, causing a leak for each completed SSP command. NVD maps the issue to CWE-401 and rates it CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local, low-privilege availability impact.

Defensive priority

Patch promptly on affected Linux kernel builds. While this is not a code-execution issue, repeated leaks in a kernel subsystem can still lead to resource exhaustion and service disruption.

Recommended defensive actions

  • Upgrade to a kernel build that includes the fixes for set_ssp_complete() and set_advertising_complete().
  • Verify your distro backport includes the missing mgmt_pending_free(cmd) calls, not just the upstream commit reference.
  • Prioritize fleets that expose Bluetooth management functionality or have long-lived systems where cumulative leaks matter.
  • Use the NVD and kernel patch references to confirm your exact release line is no longer in the affected ranges.
  • Monitor for abnormal memory growth on systems that frequently process Bluetooth SSP or advertising management commands.

Evidence notes

The CVE record was published on 2026-02-14 and modified on 2026-05-17. The description states that commit 302a1f674c00 changed pending-command handling but missed freeing mgmt_pending_cmd objects in set_ssp_complete(), and the same issue was also corrected in set_advertising_complete(). NVD classifies the weakness as CWE-401 and lists affected Linux kernel ranges including 6.12.59 through before 6.12.69, 6.16.10 through before 6.17, 6.17.1 through before 6.18.9, plus 6.17 and 6.19-rc1 through rc7 entries.

Official resources

Published in the CVE record on 2026-02-14 and later modified on 2026-05-17; use the linked kernel patch references to confirm remediation in your build line.