Vulnerability-Lookup

CVE-2026-23151 (GCVE-0-2026-23151)

Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01

Title

Bluetooth: MGMT: Fix memory leak in set_ssp_complete

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix memory leak in set_ssp_complete Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures are not freed after being removed from the pending list. Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced mgmt_pending_foreach() calls with individual command handling but missed adding mgmt_pending_free() calls in both error and success paths of set_ssp_complete(). Other completion functions like set_le_complete() were fixed correctly in the same commit. This causes a memory leak of the mgmt_pending_cmd structure and its associated parameter data for each SSP command that completes. Add the missing mgmt_pending_free(cmd) calls in both code paths to fix the memory leak. Also fix the same issue in set_advertising_complete().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

FKIE_CVE-2026-23151

Vulnerability from fkie_nvd - Published: 2026-02-14 16:15 - Updated: 2026-03-17 21:11

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/1850a558d116d7e3e2ef36d06a56f59b640cc214	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/3b6318505378828ee415d6ef678db6a74c077504	Patch

Impacted products

Vendor	Product	Version
linux	linux_kernel	*
linux	linux_kernel	*
linux	linux_kernel	*
linux	linux_kernel	6.17
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	6.19

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A53284ED-D418-4297-9CC1-383716BAE112",
              "versionEndExcluding": "6.12.69",
              "versionStartIncluding": "6.12.59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C91278E-7FC3-4EFB-AE2C-E82D42F4D3AA",
              "versionEndExcluding": "6.17",
              "versionStartIncluding": "6.16.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A25DDAF-7C27-4AFF-A350-9BD6DD15CBE1",
              "versionEndExcluding": "6.18.9",
              "versionStartIncluding": "6.17.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*",
              "matchCriteriaId": "7CC8B11D-82DC-4958-8DC7-BF5CC829A5E9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix memory leak in set_ssp_complete\n\nFix memory leak in set_ssp_complete() where mgmt_pending_cmd structures\nare not freed after being removed from the pending list.\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") replaced\nmgmt_pending_foreach() calls with individual command handling but missed\nadding mgmt_pending_free() calls in both error and success paths of\nset_ssp_complete(). Other completion functions like set_le_complete()\nwere fixed correctly in the same commit.\n\nThis causes a memory leak of the mgmt_pending_cmd structure and its\nassociated parameter data for each SSP command that completes.\n\nAdd the missing mgmt_pending_free(cmd) calls in both code paths to fix\nthe memory leak. Also fix the same issue in set_advertising_complete()."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nBluetooth: MGMT: Correcci\u00f3n de fuga de memoria en set_ssp_complete\n\nCorrige la fuga de memoria en set_ssp_complete() donde las estructuras mgmt_pending_cmd no son liberadas despu\u00e9s de ser eliminadas de la lista de pendientes.\n\nEl commit 302a1f674c00 (\u0027Bluetooth: MGMT: Corrige posibles UAFs\u0027) reemplaz\u00f3 las llamadas a mgmt_pending_foreach() con el manejo individual de comandos, pero omiti\u00f3 a\u00f1adir llamadas a mgmt_pending_free() tanto en las rutas de error como de \u00e9xito de set_ssp_complete(). Otras funciones de completado como set_le_complete() fueron corregidas correctamente en el mismo commit.\n\nEsto causa una fuga de memoria de la estructura mgmt_pending_cmd y sus datos de par\u00e1metros asociados para cada comando SSP que se completa.\n\nA\u00f1ade las llamadas faltantes a mgmt_pending_free(cmd) en ambas rutas de c\u00f3digo para corregir la fuga de memoria. Tambi\u00e9n corrige el mismo problema en set_advertising_complete()."
    }
  ],
  "id": "CVE-2026-23151",
  "lastModified": "2026-03-17T21:11:37.000",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-14T16:15:55.233",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/1850a558d116d7e3e2ef36d06a56f59b640cc214"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3b6318505378828ee415d6ef678db6a74c077504"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-401"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

SUSE-SU-2026:20667-1

Vulnerability from csaf_suse - Published: 2026-03-11 15:14 - Updated: 2026-03-11 15:14

Summary

Security update for the Linux Kernel

Severity

Important

Notes

Title of the patch: Security update for the Linux Kernel

Description of the patch: The SUSE Linux Enterprise Micro 6.0 and Micro 6.1 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2023-53817: crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() (bsc#1254992). - CVE-2025-37861: scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue (bsc#1243055). - CVE-2025-39748: bpf: Forget ranges when refining tnum after JSET (bsc#1249587). - CVE-2025-39964: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg (bsc#1251966). - CVE-2025-40099: cifs: parse_dfs_referrals: prevent oob on malformed input (bsc#1252911). - CVE-2025-40103: smb: client: Fix refcount leak for cifs_sb_tlink (bsc#1252924). - CVE-2025-68283: libceph: replace BUG_ON with bounds check for map->max_osd (bsc#1255379). - CVE-2025-68295: smb: client: fix memory leak in cifs_construct_tcon() (bsc#1255129). - CVE-2025-68374: md: fix rcu protection in md_wakeup_thread (bsc#1255530). - CVE-2025-68736: landlock: Fix handling of disconnected directories (bsc#1255698). - CVE-2025-68778: btrfs: don't log conflicting inode if it's a dir moved in the current transaction (bsc#1256683). - CVE-2025-68785: net: openvswitch: fix middle attribute validation in push_nsh() action (bsc#1256640). - CVE-2025-68810: KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot (bsc#1256679). - CVE-2025-71071: iommu/mediatek: fix use-after-free on probe deferral (bsc#1256802). - CVE-2025-71104: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer (bsc#1256708). - CVE-2025-71113: crypto: af_alg - zero initialize memory allocated via sock_kmalloc (bsc#1256716). - CVE-2025-71126: mptcp: reset fallback status gracefully at disconnect() time (bsc#1256755). - CVE-2025-71148: net/handshake: restore destructor on submit failure (bsc#1257159). - CVE-2025-71184: btrfs: fix NULL dereference on root when tracing inode eviction (bsc#1257635). - CVE-2025-71194: btrfs: fix deadlock in wait_current_trans() due to ignored transaction type (bsc#1257687). - CVE-2025-71225: md: suspend array while updating raid_disks via sysfs (bsc#1258411). - CVE-2026-22979: net: fix memory leak in skb_segment_list for GRO packets (bsc#1257228). - CVE-2026-22982: net: mscc: ocelot: Fix crash when adding interface under a lag (bsc#1257179). - CVE-2026-22998: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec (bsc#1257209). - CVE-2026-23003: geneve: Fix incorrect inner network header offset when innerprotoinherit is set (bsc#1257246). - CVE-2026-23004: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() (bsc#1257231). - CVE-2026-23017: idpf: fix error handling in the init_task on load (bsc#1257552). - CVE-2026-23035: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv (bsc#1257559). - CVE-2026-23053: NFS: Fix a deadlock involving nfs_release_folio() (bsc#1257718). - CVE-2026-23057: vsock/virtio: Coalesce only linear skb (bsc#1257740). - CVE-2026-23060: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec (bsc#1257735). - CVE-2026-23064: net/sched: act_ife: avoid possible NULL deref (bsc#1257765). - CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc (bsc#1257749). - CVE-2026-23083: fou: Don't allow 0 for FOU_ATTR_IPPROTO (bsc#1257745). - CVE-2026-23084: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list (bsc#1257830). - CVE-2026-23085: irqchip/gic-v3-its: Avoid truncating memory addresses (bsc#1257758). - CVE-2026-23086: vsock/virtio: cap TX credit to local buffer size (bsc#1257757). - CVE-2026-23089: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() (bsc#1257790). - CVE-2026-23095: gue: Fix skb memleak with inner IP protocol 0 (bsc#1257808). - CVE-2026-23099: bonding: limit BOND_MODE_8023AD to Ethernet devices (bsc#1257816). - CVE-2026-23102: arm64/fpsimd: signal: Mandate SVE payload for streaming-mode state (bsc#1257772). - CVE-2026-23104: ice: fix devlink reload call trace (bsc#1257763). - CVE-2026-23105: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag (bsc#1257775). - CVE-2026-23107: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA (bsc#1257762). - CVE-2026-23110: scsi: core: Wake up the error handler when final completions race against each other (bsc#1257761). - CVE-2026-23111: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() (bsc#1258181). - CVE-2026-23112: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec (bsc#1258184). - CVE-2026-23113: io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop (bsc#1258278). - CVE-2026-23116: pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu (bsc#1258277). - CVE-2026-23119: bonding: provide a net pointer to __skb_flow_dissect() (bsc#1258273). - CVE-2026-23139: netfilter: nf_conncount: update last_gc only when GC has been performed (bsc#1258304). - CVE-2026-23141: btrfs: send: check for inline extents in range_is_hole_in_parent() (bsc#1258377). - CVE-2026-23166: ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues (bsc#1258272). - CVE-2026-23171: net: bonding: update the slave array for broadcast mode (bsc#1258349). - CVE-2026-23173: net/mlx5e: TC, delete flows only for existing peers (bsc#1258520). - CVE-2026-23179: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() (bsc#1258394). - CVE-2026-23191: ALSA: aloop: Fix racy access at PCM trigger (bsc#1258395). - CVE-2026-23198: KVM: Don't clobber irqfd routing type when deassigning irqfd (bsc#1258321). - CVE-2026-23208: ALSA: usb-audio: Prevent excessive number of frames (bsc#1258468). - CVE-2026-23209: macvlan: fix error recovery in macvlan_common_newlink() (bsc#1258518). - CVE-2026-23213: drm/amd/pm: Disable MMIO access during SMU Mode 1 reset (bsc#1258465). - CVE-2026-23214: btrfs: reject new transactions if the fs is fully read-only (bsc#1258464). The following non security issues were fixed: - ALSA: usb-audio: Update the number of packets properly at receiving (stable-fixes). - ALSA: usb-audio: fix broken logic in snd_audigy2nx_led_update() (git-fixes). - ASoC: SOF: ipc4-control: If there is no data do not send bytes update (git-fixes). - HID: intel-ish-hid: Update ishtp bus match to support device ID table (stable-fixes). - PM: sleep: wakeirq: Update outdated documentation comments (git-fixes). - Update "drm/mgag200: fix mgag200_bmc_stop_scanout()" bug number (bsc#1258153) - Update upstreamed net and powerpc patch references and sorting - bonding: only set speed/duplex to unknown, if getting speed failed (bsc#1253691). - btrfs: scrub: always update btrfs_scrub_progress::last_physical (git-fixes). - clocksource: Print durations for sync check unconditionally (bsc#1241345). - clocksource: Reduce watchdog readout delay limit to prevent false positives (bsc#1241345). - drm/radeon: delete radeon_fence_process in is_signaled, no deadlock (stable-fixes). - ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref (git-fixes). - landlock: Optimize file path walks and prepare for audit support (bsc#1255698). - media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update() (git-fixes). - shrink_slab_memcg: clear_bits of skipped shrinkers (bsc#1256564). - spi: tegra210-quad: Move curr_xfer read inside spinlock (bsc#1257952) - spi: tegra210-quad: Protect curr_xfer assignment in (bsc#1257952) - spi: tegra210-quad: Protect curr_xfer check in IRQ handler (bsc#1257952) - spi: tegra210-quad: Protect curr_xfer clearing in (bsc#1257952) - spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer (bsc#1257952) - spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed (bsc#1257952) - staging: rtl8723bs: fix missing status update on sdio_alloc_irq() failure (stable-fixes). - wifi: cfg80211: Fix use_for flag update on BSS refresh (git-fixes). - workqueue: mark power efficient workqueue as unbounded if (bsc#1257891)

Patchnames: SUSE-SLE-Micro-6.1-kernel-291

CVE-2023-53817

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H