CVE-2026-43018
Published: 01 May 2026
Summary
CVE-2026-43018 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the UAF vulnerability through installation of Linux kernel patches that extend the hci_dev_lock critical section to protect hci_conn usage.
Enables detection of affected Linux kernel versions vulnerable to this Bluetooth UAF via vulnerability scanning and monitoring.
Implements memory protection mechanisms that mitigate UAF exploitation by restricting unauthorized access to freed kernel memory structures like hci_conn.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The UAF vulnerability in the Linux kernel Bluetooth subsystem (hci_le_remote_conn_param_req_evt) is directly exploitable over adjacent network access with no privileges required, mapping to exploitation of a remote service (Bluetooth stack) in the OS kernel to achieve code execution or system impact.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt hci_conn lookup and field access must be covered by hdev lock in hci_le_remote_conn_param_req_evt, otherwise it's possible it is freed concurrently. Extend the hci_dev_lock…
more
critical section to cover all conn usage.
Deeper analysisAI
CVE-2026-43018 is a Use-After-Free (UAF) vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the hci_le_remote_conn_param_req_evt function. The issue arises because hci_conn lookup and field access are not properly protected by the hdev lock, allowing the connection structure to be freed concurrently while still in use. This affects Linux kernel versions prior to the application of the referenced stable patches.
An attacker with adjacent network access (AV:A), such as within Bluetooth range, can exploit this with low complexity (AC:L) and no privileges or user interaction required (PR:N/UI:N). Successful exploitation could result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), with an overall CVSS v3.1 score of 8.8, potentially enabling remote code execution, data leakage, or system crashes on affected systems.
Mitigation involves applying the upstream kernel patches from the provided stable branch commits, which extend the hci_dev_lock critical section to fully cover all hci_conn usage and prevent the UAF. The fixes are available at: https://git.kernel.org/stable/c/1d0bdbfe3e91c11f0a704c52443a9446a10d699c, https://git.kernel.org/stable/c/59eecf0ffde15670e6a5e10c47be67f73d843b20, https://git.kernel.org/stable/c/5fb69e1eeea9d6cba80517e9f058b56b34bc3a81, https://git.kernel.org/stable/c/7cadb03be37e761130edb153544fe0770a842b19, and https://git.kernel.org/stable/c/b255531b27da336571411248c2a72a350662bd09. Security practitioners should prioritize updating Bluetooth-enabled Linux systems, especially those in environments with physical proximity risks.
Details
- CWE(s)