CVE-2026-43019 Linux CVE debrief

Who should care

System administrators and security teams responsible for Linux kernel-based systems, especially those using Bluetooth functionality, should be aware of this vulnerability. This includes organizations with Linux-based servers, desktops, and embedded systems that utilize Bluetooth connections.

Technical summary

The vulnerability exists in the Linux kernel's Bluetooth HCI connection handling, specifically in the `set_cig_params_sync` function. The issue arises from the lack of proper locking mechanisms, allowing for concurrent access and potential UAF attacks. The CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a high severity level. The vulnerability affects various Linux kernel versions, including 6.4, 6.5, 6.6, 6.7, and 7.0 RC versions.

Defensive priority

High priority due to potential for local privilege escalation and high impact on confidentiality, integrity, and availability.

Recommended defensive actions

• Inventory and review Linux kernel versions in use, focusing on Bluetooth-enabled systems.
• Apply patches from Linux kernel stable branches (e.g., 66d432e9b45bae7881ffcdb12cd8fd0bf254ef02).
• Implement compensating controls, such as restricting Bluetooth access and monitoring system calls.
• Review and update Linux kernel configurations to disable unnecessary Bluetooth features.
• Monitor system logs for suspicious Bluetooth-related activity.

Evidence notes

The vulnerability was published on May 1, 2026, and last modified on June 19, 2026. It affects Linux kernel versions 6.4, 6.5, 6.6, 6.7, and 7.0 RC versions. The CVE record and NVD detail pages provide comprehensive information about the vulnerability, including CVSS scores and affected versions.

Official resources