CVE-2026-43069 Linux CVE debrief

Who should care

Linux system administrators running kernels with Bluetooth support, embedded device manufacturers using hci_ll-based Bluetooth controllers, and security teams tracking kernel resource leak vulnerabilities.

Technical summary

The hci_ll driver's download_firmware() function in drivers/bluetooth/hci_ll.c fails to release firmware memory via release_firmware() when request_firmware() succeeds but the returned firmware content is invalid (NULL data or zero size). This results in a resource leak (CWE-401). The vulnerability is local, requires low privileges, and can lead to denial of service through memory exhaustion. CVSS 3.1 score: 5.5 (MEDIUM). Affected versions span Linux kernel 4.12 through multiple stable branches, with fixes backported to 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0-rc kernels.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant stable kernel patch for your branch (see resource links).
• Verify kernel version is at or above: 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, or a 7.0-rc release containing the fix.
• If running a custom kernel with the hci_ll driver, ensure release_firmware() is called on all error paths after request_firmware() succeeds.
• Monitor system logs for firmware load failures on Bluetooth hci_ll devices as indicators of potential trigger conditions.

Evidence notes

CVE published 2026-05-05; NVD entry modified 2026-05-29. Smatch static analysis report identified the leak at drivers/bluetooth/hci_ll.c:587 in download_firmware(). The vulnerability occurs when request_firmware() returns successfully but the firmware has no data or zero size, causing an early return without release_firmware().

Official resources