CVE-2026-43017
Bluetooth: MGMT Mesh Send Advertising Payload Length Validation Flaw
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's Bluetooth mesh management functionality. Specifically, the mesh_send() function does not properly verify that the length of the advertising data (adv_data) matches the length specified in the adv_data_len field. Although the total command length is checked, the flexible adv_data array length is not validated, allowing a truncated command to bypass length checks. This can cause the asynchronous mesh send process to read beyond the end of the command buffer, potentially leading to unexpected behavior.
How can this vulnerability impact me? :
Because the vulnerability allows the asynchronous mesh send path to read beyond the end of the queued command buffer, it could lead to memory corruption or other unintended behavior within the Bluetooth mesh functionality of the Linux kernel. This might be exploited to cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or disrupt Bluetooth communications.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the Linux kernel is updated to a version where the Bluetooth MGMT mesh send advertising payload length validation is fixed.
Specifically, the fix involves validating the adv_data_len explicitly and requiring the command length to exactly match the flexible array size before queueing the request, preventing truncated or oversized advertising payloads from being processed.