CVE-2026-43017

meshsend() currently bounds MGMTOPMESHSEND by total command length, but it never verifies that the bytes supplied for the flexible advdata[] array actually match the embedded advdatalen field. MGMTMESHSENDSIZE only covers the fixed header, so a truncated command can still pass the existing 20..50 byte range check and later drive the async mesh send path past the end of the queued command buffer.

Keep rejecting zero-length and oversized advertising payloads, but validate advdatalen explicitly and require the command length to exactly match the flexible array size before queueing the request.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43017.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

b338d91703fae6f6afd67f3f75caa3b8f36ddef3

Fixed

24fa32369cf15d8fc918bdfe94097b12e6acada0

Fixed

244b639e6a3a8e26241e201004a3a9f764476631

Fixed

0b706fb2294aff3adfd54653bda1b5e356ad4566

Fixed

edb5898cfa91afe7e8f83eda18d93034c953d632

Fixed

562ed1954f0c1bff3422b7b752bd3dacf185edbf

Fixed

bda93eec78cdbfe5cda00785cefebd443e56b88b

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43017.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.1.168

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.134

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.81

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.22

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.12

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43017.json"