CVE Catalog

CVE-2026-53072

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

In the Linux kernel, a vulnerability was found in the Bluetooth stack where hci_conn_request_evt() calls hci_connect_cfm() without holding the hdev->lock. This can lead to a use-after-free (UAF) if the connection is deleted concurrently.

Risk Assessment

An attacker could exploit this flaw to achieve remote code execution or privilege escalation by sending a crafted Bluetooth connection request, potentially leading to full system compromise.

Recommendation

Immediately update the Linux kernel to a version containing the fix that ensures hdev->lock is held during the hci_connect_cfm() call.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm() assumes it is held, and if conn is deleted concurrently -> UAF. Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen, and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred listening socket code paths, hci_connect_cfm(conn) is called with hdev->lock held. Fix by holding the lock.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS