CVE-2026-23151
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
14/02/2026
Last modified:
17/03/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
Bluetooth: MGMT: Fix memory leak in set_ssp_complete<br />
<br />
Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures<br />
are not freed after being removed from the pending list.<br />
<br />
Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced<br />
mgmt_pending_foreach() calls with individual command handling but missed<br />
adding mgmt_pending_free() calls in both error and success paths of<br />
set_ssp_complete(). Other completion functions like set_le_complete()<br />
were fixed correctly in the same commit.<br />
<br />
This causes a memory leak of the mgmt_pending_cmd structure and its<br />
associated parameter data for each SSP command that completes.<br />
<br />
Add the missing mgmt_pending_free(cmd) calls in both code paths to fix<br />
the memory leak. Also fix the same issue in set_advertising_complete().
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.12.59 (including) | 6.12.69 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.16.10 (including) | 6.17 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.17.1 (including) | 6.18.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page