{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43017", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:55.975Z", "datePublished": "2026-05-01T14:15:21.561Z", "dateUpdated": "2026-05-01T14:15:21.561Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-01T14:15:21.561Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate mesh send advertising payload length\n\nmesh_send() currently bounds MGMT_OP_MESH_SEND by total command\nlength, but it never verifies that the bytes supplied for the\nflexible adv_data[] array actually match the embedded adv_data_len\nfield. MGMT_MESH_SEND_SIZE only covers the fixed header, so a\ntruncated command can still pass the existing 20..50 byte range\ncheck and later drive the async mesh send path past the end of the\nqueued command buffer.\n\nKeep rejecting zero-length and oversized advertising payloads, but\nvalidate adv_data_len explicitly and require the command length to\nexactly match the flexible array size before queueing the request."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/mgmt.c"], "versions": [{"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3", "lessThan": "24fa32369cf15d8fc918bdfe94097b12e6acada0", "status": "affected", "versionType": "git"}, {"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3", "lessThan": "244b639e6a3a8e26241e201004a3a9f764476631", "status": "affected", "versionType": "git"}, {"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3", "lessThan": "0b706fb2294aff3adfd54653bda1b5e356ad4566", "status": "affected", "versionType": "git"}, {"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3", "lessThan": "edb5898cfa91afe7e8f83eda18d93034c953d632", "status": "affected", "versionType": "git"}, {"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3", "lessThan": "562ed1954f0c1bff3422b7b752bd3dacf185edbf", "status": "affected", "versionType": "git"}, {"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3", "lessThan": "bda93eec78cdbfe5cda00785cefebd443e56b88b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/mgmt.c"], "versions": [{"version": "6.1", "status": "affected"}, {"version": "0", "lessThan": "6.1", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.134", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.81", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.22", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.12", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.6.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.12.81"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.18.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.19.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/24fa32369cf15d8fc918bdfe94097b12e6acada0"}, {"url": "https://git.kernel.org/stable/c/244b639e6a3a8e26241e201004a3a9f764476631"}, {"url": "https://git.kernel.org/stable/c/0b706fb2294aff3adfd54653bda1b5e356ad4566"}, {"url": "https://git.kernel.org/stable/c/edb5898cfa91afe7e8f83eda18d93034c953d632"}, {"url": "https://git.kernel.org/stable/c/562ed1954f0c1bff3422b7b752bd3dacf185edbf"}, {"url": "https://git.kernel.org/stable/c/bda93eec78cdbfe5cda00785cefebd443e56b88b"}], "title": "Bluetooth: MGMT: validate mesh send advertising payload length", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate mesh send advertising payload length\n\nmesh_send() currently bounds MGMT_OP_MESH_SEND by total command\nlength, but it never verifies that the bytes supplied for the\nflexible adv_data[] array actually match the embedded adv_data_len\nfield. MGMT_MESH_SEND_SIZE only covers the fixed header, so a\ntruncated command can still pass the existing 20..50 byte range\ncheck and later drive the async mesh send path past the end of the\nqueued command buffer.\n\nKeep rejecting zero-length and oversized advertising payloads, but\nvalidate adv_data_len explicitly and require the command length to\nexactly match the flexible array size before queueing the request."}], "id": "CVE-2026-43017", "lastModified": "2026-05-01T15:24:14.893", "metrics": {}, "published": "2026-05-01T15:16:45.837", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0b706fb2294aff3adfd54653bda1b5e356ad4566"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/244b639e6a3a8e26241e201004a3a9f764476631"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/24fa32369cf15d8fc918bdfe94097b12e6acada0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/562ed1954f0c1bff3422b7b752bd3dacf185edbf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bda93eec78cdbfe5cda00785cefebd443e56b88b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/edb5898cfa91afe7e8f83eda18d93034c953d632"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: Bluetooth: MGMT: validate mesh send advertising payload length", "id": "2464357", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464357"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-130", "details": ["A flaw was found in the Bluetooth subsystem of the Linux kernel. A remote attacker could exploit this by sending a specially crafted Bluetooth Mesh advertising payload. The system fails to properly validate the length of the advertising data against the provided payload, leading to an out-of-bounds write. This memory corruption could result in a denial of service."], "name": "CVE-2026-43017", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-43017\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43017\nhttps://lore.kernel.org/linux-cve-announce/2026050157-CVE-2026-43017-fefa@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b338d91703fae6f6afd67f3f75caa3b8f36ddef3,24fa32369cf15d8fc918bdfe94097b12e6acada0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b338d91703fae6f6afd67f3f75caa3b8f36ddef3,244b639e6a3a8e26241e201004a3a9f764476631)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b338d91703fae6f6afd67f3f75caa3b8f36ddef3,0b706fb2294aff3adfd54653bda1b5e356ad4566)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b338d91703fae6f6afd67f3f75caa3b8f36ddef3,edb5898cfa91afe7e8f83eda18d93034c953d632)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b338d91703fae6f6afd67f3f75caa3b8f36ddef3,562ed1954f0c1bff3422b7b752bd3dacf185edbf)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b338d91703fae6f6afd67f3f75caa3b8f36ddef3,bda93eec78cdbfe5cda00785cefebd443e56b88b)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.134,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.81,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.22,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.12,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-05-01T20:15:24.442557+00:00", "updated": "2026-05-01T20:15:24.442668+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}