Cyber Resilience

CVE-2026-43019

High

Published: 01 May 2026

Published
01 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-43019 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-43019 is a use-after-free (UAF) vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the set_cig_params_sync function. The issue arises because hci_conn lookup and field access are not properly protected by the hdev lock, allowing the hci_conn structure to be freed or modified concurrently by another thread. This affects Linux kernel versions prior to the application of the fixing commits.

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements, as indicated by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially leading to arbitrary code execution, data corruption, or system crashes through the UAF condition.

The provided references point to stable kernel commit patches that mitigate the issue by acquiring the hdev lock around hci_conn operations in set_cig_params_sync. These patches ensure proper synchronization to prevent concurrent deletion or modification of the hci_conn structure, noting that RCU locking alone is insufficient to avoid configuration tearing. Security practitioners should apply these upstream fixes to vulnerable kernel versions.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync hci_conn lookup and field access must be covered by hdev lock in set_cig_params_sync, otherwise it's possible it is freed concurrently. Take hdev lock…

more

to prevent hci_conn from being deleted or modified concurrently. Just RCU lock is not suitable here, as we also want to avoid "tearing" in the configuration.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local use-after-free in kernel Bluetooth subsystem enables arbitrary code execution by low-privileged attacker, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel
CVE-2026-23077Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.4.16, 6.5.3, 7.0 · 6.6 — 6.12.81 · 6.13 — 6.18.22 · 6.19 — 6.19.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation through application of the specific Linux kernel patches adds the hdev lock to protect hci_conn lookup and access in set_cig_params_sync, directly eliminating the UAF vulnerability.

prevent

Memory protection safeguards such as kernel address randomization, non-executable pages, and strict memory permissions prevent exploitation of the UAF in the Bluetooth hci_conn structure even if the concurrency flaw exists.

prevent

Configuring the system to disable non-essential Bluetooth capabilities removes the attack surface presented by the vulnerable set_cig_params_sync function in the kernel.

References