CVE-2026-43019
Published: 01 May 2026
Summary
CVE-2026-43019 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-43019 is a use-after-free (UAF) vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the set_cig_params_sync function. The issue arises because hci_conn lookup and field access are not properly protected by the hdev lock, allowing the hci_conn structure to be freed or modified concurrently by another thread. This affects Linux kernel versions prior to the application of the fixing commits.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements, as indicated by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially leading to arbitrary code execution, data corruption, or system crashes through the UAF condition.
The provided references point to stable kernel commit patches that mitigate the issue by acquiring the hdev lock around hci_conn operations in set_cig_params_sync. These patches ensure proper synchronization to prevent concurrent deletion or modification of the hci_conn structure, noting that RCU locking alone is insufficient to avoid configuration tearing. Security practitioners should apply these upstream fixes to vulnerable kernel versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26618
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync hci_conn lookup and field access must be covered by hdev lock in set_cig_params_sync, otherwise it's possible it is freed concurrently. Take hdev lock…
more
to prevent hci_conn from being deleted or modified concurrently. Just RCU lock is not suitable here, as we also want to avoid "tearing" in the configuration.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in kernel Bluetooth subsystem enables arbitrary code execution by low-privileged attacker, directly mapping to exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through application of the specific Linux kernel patches adds the hdev lock to protect hci_conn lookup and access in set_cig_params_sync, directly eliminating the UAF vulnerability.
Memory protection safeguards such as kernel address randomization, non-executable pages, and strict memory permissions prevent exploitation of the UAF in the Bluetooth hci_conn structure even if the concurrency flaw exists.
Configuring the system to disable non-essential Bluetooth capabilities removes the attack surface presented by the vulnerable set_cig_params_sync function in the kernel.