CVE-2026-43059

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers<br /> <br /> Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced<br /> mgmt_pending_valid(), which not only validates the pending command but<br /> also unlinks it from the pending list if it is valid. This change in<br /> semantics requires updates to several completion handlers to avoid list<br /> corruption and memory safety issues.<br /> <br /> This patch addresses two left-over issues from the aforementioned rework:<br /> <br /> 1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()<br /> is replaced with mgmt_pending_free() in the success path. Since<br /> mgmt_pending_valid() already unlinks the command at the beginning of<br /> the function, calling mgmt_pending_remove() leads to a double list_del()<br /> and subsequent list corruption/kernel panic.<br /> <br /> 2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error<br /> path is removed. Since the current command is already unlinked by<br /> mgmt_pending_valid(), this foreach loop would incorrectly target other<br /> pending mesh commands, potentially freeing them while they are still being<br /> processed concurrently (leading to UAFs). The redundant mgmt_cmd_status()<br /> is also simplified to use cmd-&gt;opcode directly.