CVE-2026-53072
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
In the Linux kernel, a vulnerability was found in the Bluetooth stack where hci_conn_request_evt() calls hci_connect_cfm() without holding the hdev->lock. This can lead to a use-after-free (UAF) if the connection is deleted concurrently.
Risk Assessment
An attacker could exploit this flaw to achieve remote code execution or privilege escalation by sending a crafted Bluetooth connection request, potentially leading to full system compromise.
Recommendation
Immediately update the Linux kernel to a version containing the fix that ensures hdev->lock is held during the hci_connect_cfm() call.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm() assumes it is held, and if conn is deleted concurrently -> UAF. Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen, and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred listening socket code paths, hci_connect_cfm(conn) is called with hdev->lock held. Fix by holding the lock.

