CVE-2026-53276
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
A use-after-free vulnerability was found in the Linux kernel's Bluetooth ISO subsystem. The iso_sock_rebind_bc() function caches a pointer to the hci_conn structure and then releases the socket lock, allowing a concurrent close() to free the memory before the pointer is reused.
Risk Assessment
An attacker could exploit the race window to access freed memory, potentially leading to arbitrary code execution or system crash (kernel panic).
Recommendation
Apply the Linux kernel patch immediately, which fixes the issue by using a safe hdev reference obtained via iso_conn_get_hdev().
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is dropped: bis = iso_pi(sk)->conn->hcon; /* Release the socket before lookups since that requires hci_dev_lock * which shall not be acquired while holding sock_lock for proper * ordering. */ release_sock(sk); hci_dev_lock(bis->hdev); During the unlocked window, could a concurrent close() destroy the connection and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory after it is freed, fix this by using the hdev reference which was safely acquired via iso_conn_get_hdev().

