CVE-2026-43059 Linux CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, and operators running kernels with Bluetooth MGMT support should prioritize this issue, especially on systems where Bluetooth management features are enabled or customized.

Technical summary

The root cause is a semantic change introduced by mgmt_pending_valid(): it validates a pending command and also unlinks it from the pending list when valid. In mgmt_add_adv_patterns_monitor_complete(), the success path still called mgmt_pending_remove(), which can double-remove the same list entry and corrupt the list. In set_mesh_complete(), an error-path mgmt_pending_foreach() remained even though the current command had already been unlinked; that loop could target other pending mesh commands and free them while still in use, creating a use-after-free risk. The patch also simplifies mgmt_cmd_status() to use cmd->opcode directly.

Defensive priority

High

Recommended defensive actions

• Apply Linux kernel updates that include the referenced fixes for Bluetooth MGMT completion handlers.
• If you maintain a downstream or custom kernel, backport the relevant stable commits referenced in the advisory and verify the Bluetooth MGMT code paths.
• Prioritize patching systems that rely on Bluetooth management features, including embedded and fleet devices.
• Watch for kernel crashes, list corruption symptoms, or unexpected Bluetooth management instability until patched builds are deployed.
• Confirm that your distribution’s backport includes both the list-corruption fix in mgmt_add_adv_patterns_monitor_complete() and the UAF fix in set_mesh_complete().

Evidence notes

This debrief is based on the supplied CVE description and NVD record metadata. The issue is described as resolved in Linux kernel Bluetooth MGMT command complete handlers, with references to four stable kernel commits. No CVSS vector or severity was provided in the source corpus, so no score is stated here.

Official resources