CVE Catalog

CVE-2026-52918

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

A vulnerability was found in the Linux kernel's Bluetooth stack due to unsynchronized access to the accept_q queue. The bt_sock_poll() function walks the queue without locking, while child socket teardown can concurrently unlink and release the last reference, causing a race condition. This issue has existed since the initial Bluetooth implementation.

Risk Assessment

A local attacker could exploit this race condition to gain unauthorized access to kernel memory, potentially leading to privilege escalation or system denial of service.

Recommendation

Immediately update the Linux kernel to a version containing the fix, which introduces a dedicated lock for the accept_q queue and reworks reference handling in bt_accept_dequeue().

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: serialize accept_q access bt_sock_poll() walks the accept queue without synchronization, while child teardown can unlink the same socket and drop its last reference. The unsynchronized accept queue walk has existed since the initial Bluetooth import. Protect accept_q with a dedicated lock for queue updates and polling. Also rework bt_accept_dequeue() to take temporary child references under the queue lock before dropping it and locking the child socket.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS