CVE-2026-43017
Published: May 1, 2026
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate mesh send advertising payload length mesh_send() currently bounds MGMT_OP_MESH_SEND by total command length, but it never verifies that the bytes supplied for the flexible adv_data[] array actually match the embedded adv_data_len field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a truncated command can still pass the existing 20..50 byte range check and later drive the async mesh send path past the end of the queued command buffer. Keep rejecting zero-length and oversized advertising payloads, but validate adv_data_len explicitly and require the command length to exactly match the flexible array size before queueing the request.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected b338d91703fae6f6afd67f3f75caa3b8f36ddef3 - < 24fa32369cf15d8fc918bdfe94097b12e6acada0affected b338d91703fae6f6afd67f3f75caa3b8f36ddef3 - < 244b639e6a3a8e26241e201004a3a9f764476631affected b338d91703fae6f6afd67f3f75caa3b8f36ddef3 - < 0b706fb2294aff3adfd54653bda1b5e356ad4566affected b338d91703fae6f6afd67f3f75caa3b8f36ddef3 - < edb5898cfa91afe7e8f83eda18d93034c953d632affected b338d91703fae6f6afd67f3f75caa3b8f36ddef3 - < 562ed1954f0c1bff3422b7b752bd3dacf185edbf+1 more versions |
Linux | Linux | affected 6.1unaffected 0 - < 6.1unaffected 6.1.168 - <= 6.1.*unaffected 6.6.134 - <= 6.6.*unaffected 6.12.81 - <= 6.12.*+3 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now