CVE-2026-53072

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm() assumes it is held, and if conn is deleted concurrently -> UAF. Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen, and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred listening socket code paths, hci_connect_cfm(conn) is called with hdev->lock held. Fix by holding the lock.

CVSS breakdown

CVSS 3.1

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

Linux / Linux70c464256310e1c3716099b9d02ece4169272f73 – 60e3f4ff02d1f2d55bfbf2ca32a97285a9771ee4
Linux / Linux70c464256310e1c3716099b9d02ece4169272f73 – 9d4a6c0f43fc5e4d4f062e8e450e5483eb74176e
Linux / Linux70c464256310e1c3716099b9d02ece4169272f73 – c7777f534a8018ae4bb1c80d8925af4df588a314
Linux / Linux70c464256310e1c3716099b9d02ece4169272f73 – 6b4d226d01ab7da0d2027a2a1e3a6079152e5065
Linux / Linux70c464256310e1c3716099b9d02ece4169272f73 – 541d5bf9b5afaf41090b2a3aa7b47f2db2ff801f
Linux / Linux70c464256310e1c3716099b9d02ece4169272f73 – 385b2d0468a0871fc716c549fa3b0c257c7dbcb3
Linux / Linux70c464256310e1c3716099b9d02ece4169272f73 – c27224daf0b08efbb2b24ed64b6139b294f5473a
Linux / Linux70c464256310e1c3716099b9d02ece4169272f73 – 5c7209a341ff2ac338b2b0375c34a307b37c9ac2
Linux / Linux3.17 – 3.17
Linux / Linux0 – 3.17
Linux / Linux5.10.258 – 5.10.*
Linux / Linux5.15.209 – 5.15.*
Linux / Linux6.1.175 – 6.1.*
Linux / Linux6.6.141 – 6.6.*
Linux / Linux6.12.91 – 6.12.*
Linux / Linux6.18.33 – 6.18.*
Linux / Linux7.0.10 – 7.0.*
Linux / Linux7.1 – *

Description

CVSS breakdown

Affected products

References