Use-After-Free Vulnerability in Linux Kernel Bluetooth Stack
CVE-2026-53276
What is CVE-2026-53276?
A vulnerability in the Bluetooth subsystem of the Linux kernel allows a use-after-free condition to occur within the iso_sock_rebind_bc() function. This issue arises due to a race condition, where the hci_conn pointer can become invalid if a concurrent operation closes the connection. As a result, when a subsequent attempt is made to acquire a lock on the hdev after the socket is released, it can lead to accessing freed memory, which poses significant risks for system stability and security. This vulnerability has been addressed by ensuring that the hdev reference is safely acquired through iso_conn_get_hdev() before the socket lock is released, thus preventing potential exploitation.
Affected Version(s)
Linux d3413703d5f8b7d1e6f514f9440ed5da1bc30796
Linux d3413703d5f8b7d1e6f514f9440ed5da1bc30796
Linux 6.19