← voltar
CVE-2026-53072

Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER

CVSS 8.8 HIGHEPSS 0.2%
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.8EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
24 jun 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm() assumes it is held, and if conn is deleted concurrently -> UAF. Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen, and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred listening socket code paths, hci_connect_cfm(conn) is called with hdev->lock held. Fix by holding the lock.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
Linux · Linux