{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23151", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.976Z", "datePublished": "2026-02-14T16:01:19.663Z", "dateUpdated": "2026-05-11T22:01:11.932Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:01:11.932Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix memory leak in set_ssp_complete\n\nFix memory leak in set_ssp_complete() where mgmt_pending_cmd structures\nare not freed after being removed from the pending list.\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") replaced\nmgmt_pending_foreach() calls with individual command handling but missed\nadding mgmt_pending_free() calls in both error and success paths of\nset_ssp_complete(). Other completion functions like set_le_complete()\nwere fixed correctly in the same commit.\n\nThis causes a memory leak of the mgmt_pending_cmd structure and its\nassociated parameter data for each SSP command that completes.\n\nAdd the missing mgmt_pending_free(cmd) calls in both code paths to fix\nthe memory leak. Also fix the same issue in set_advertising_complete()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/mgmt.c"], "versions": [{"version": "d71b98f253b079cbadc83266383f26fe7e9e103b", "lessThan": "1850a558d116d7e3e2ef36d06a56f59b640cc214", "status": "affected", "versionType": "git"}, {"version": "302a1f674c00dd5581ab8e493ef44767c5101aab", "lessThan": "3b6318505378828ee415d6ef678db6a74c077504", "status": "affected", "versionType": "git"}, {"version": "302a1f674c00dd5581ab8e493ef44767c5101aab", "lessThan": "1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2", "status": "affected", "versionType": "git"}, {"version": "87a1f16f07c6c43771754075e08f45b41d237421", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/mgmt.c"], "versions": [{"version": "6.17", "status": "affected"}, {"version": "0", "lessThan": "6.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.69", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.9", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.59", "versionEndExcluding": "6.12.69"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.18.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16.10"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1850a558d116d7e3e2ef36d06a56f59b640cc214"}, {"url": "https://git.kernel.org/stable/c/3b6318505378828ee415d6ef678db6a74c077504"}, {"url": "https://git.kernel.org/stable/c/1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2"}], "title": "Bluetooth: MGMT: Fix memory leak in set_ssp_complete", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A53284ED-D418-4297-9CC1-383716BAE112", "versionEndExcluding": "6.12.69", "versionStartIncluding": "6.12.59", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1C91278E-7FC3-4EFB-AE2C-E82D42F4D3AA", "versionEndExcluding": "6.17", "versionStartIncluding": "6.16.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A25DDAF-7C27-4AFF-A350-9BD6DD15CBE1", "versionEndExcluding": "6.18.9", "versionStartIncluding": "6.17.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*", "matchCriteriaId": "7CC8B11D-82DC-4958-8DC7-BF5CC829A5E9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix memory leak in set_ssp_complete\n\nFix memory leak in set_ssp_complete() where mgmt_pending_cmd structures\nare not freed after being removed from the pending list.\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") replaced\nmgmt_pending_foreach() calls with individual command handling but missed\nadding mgmt_pending_free() calls in both error and success paths of\nset_ssp_complete(). Other completion functions like set_le_complete()\nwere fixed correctly in the same commit.\n\nThis causes a memory leak of the mgmt_pending_cmd structure and its\nassociated parameter data for each SSP command that completes.\n\nAdd the missing mgmt_pending_free(cmd) calls in both code paths to fix\nthe memory leak. Also fix the same issue in set_advertising_complete()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nBluetooth: MGMT: Correcci\u00f3n de fuga de memoria en set_ssp_complete\n\nCorrige la fuga de memoria en set_ssp_complete() donde las estructuras mgmt_pending_cmd no son liberadas despu\u00e9s de ser eliminadas de la lista de pendientes.\n\nEl commit 302a1f674c00 ('Bluetooth: MGMT: Corrige posibles UAFs') reemplaz\u00f3 las llamadas a mgmt_pending_foreach() con el manejo individual de comandos, pero omiti\u00f3 a\u00f1adir llamadas a mgmt_pending_free() tanto en las rutas de error como de \u00e9xito de set_ssp_complete(). Otras funciones de completado como set_le_complete() fueron corregidas correctamente en el mismo commit.\n\nEsto causa una fuga de memoria de la estructura mgmt_pending_cmd y sus datos de par\u00e1metros asociados para cada comando SSP que se completa.\n\nA\u00f1ade las llamadas faltantes a mgmt_pending_free(cmd) en ambas rutas de c\u00f3digo para corregir la fuga de memoria. Tambi\u00e9n corrige el mismo problema en set_advertising_complete()."}], "id": "CVE-2026-23151", "lastModified": "2026-03-17T21:11:37.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T16:15:55.233", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1850a558d116d7e3e2ef36d06a56f59b640cc214"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3b6318505378828ee415d6ef678db6a74c077504"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Bluetooth: MGMT: Fix memory leak in set_ssp_complete", "id": "2439926", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439926"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: MGMT: Fix memory leak in set_ssp_complete\nFix memory leak in set_ssp_complete() where mgmt_pending_cmd structures\nare not freed after being removed from the pending list.\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") replaced\nmgmt_pending_foreach() calls with individual command handling but missed\nadding mgmt_pending_free() calls in both error and success paths of\nset_ssp_complete(). Other completion functions like set_le_complete()\nwere fixed correctly in the same commit.\nThis causes a memory leak of the mgmt_pending_cmd structure and its\nassociated parameter data for each SSP command that completes.\nAdd the missing mgmt_pending_free(cmd) calls in both code paths to fix\nthe memory leak. Also fix the same issue in set_advertising_complete()."], "name": "CVE-2026-23151", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23151\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23151\nhttps://lore.kernel.org/linux-cve-announce/2026021414-CVE-2026-23151-74d4@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d71b98f253b079cbadc83266383f26fe7e9e103b,1850a558d116d7e3e2ef36d06a56f59b640cc214)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[302a1f674c00dd5581ab8e493ef44767c5101aab,3b6318505378828ee415d6ef678db6a74c077504)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[302a1f674c00dd5581ab8e493ef44767c5101aab,1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "87a1f16f07c6c43771754075e08f45b41d237421"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.17"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.17)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.69,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.9,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-18T12:20:29.172433+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the patch for the Bluetooth mgmt memory leak, such as any kernel release newer than 6.19 RC7 or 6.19.1 and later.", "If a kernel upgrade is not immediately feasible, temporarily disable the Bluetooth mgmt subsystem or restrict exposure (e.g., using firewall rules or disabling Bluetooth services) to reduce the number of SSP interactions that could trigger the leak.", "Monitor system memory usage for abnormal growth patterns and configure alerts to detect ongoing leaks, enabling proactive mitigation before a full denial of service occurs."], "summary": {"action": "Patch", "impact": "Denial of Service via Resource Exhaustion"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations that include the vulnerable Bluetooth management code and have not applied the patch with commit 302a1f674c00. This includes kernel releases up to and including 6.19 RC7. The vulnerability is tied to the Bluetooth subsystem in the mainline Linux kernel, affecting any system that enables the Bluetooth MGMT module or processes SSP requests.", "description_and_impact": "A memory leak in the Bluetooth management subsystem occurs when SSP (Secure Simple Pairing) completion callbacks fail to free allocated pending command structures. Each completed SSP command retains a mgmt_pending_cmd object and its parameters, consuming kernel memory until the system shuts down. While the CVE does not provide code execution or privilege escalation, the accumulation of unreleased memory can degrade system responsiveness and potentially lead to a device\u2011wide denial of service if the leak is sufficiently abused, especially on resource\u2011constrained embedded devices.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a medium severity and the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an attacker\u2019s ability to send a large number of SSP completion triggers to the host, which is possible for devices with a public or exposed Bluetooth interface. Given that the issue leads only to memory exhaustion and not immediate corruption or code execution, the risk is moderate but not negligible for environments that rely on continuous Bluetooth service availability."}}}}, "created": "2026-02-16T12:01:16.641633+00:00", "updated": "2026-04-18T12:30:45.453758+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}