EUVD-2026-32438
GHSA-v6c2-56h6-9pgq
Lifecycle Timeline
2DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently.
Extend the hci_dev_lock critical section to cover all conn usage in both handlers.
Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path.
Analysis
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage in both handlers. …
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect
Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic
NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th
NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local
In the Linux kernel, the following vulnerability has been resolved: netfilter: arp_tables: fix IEEE1394 ARP payload par
Share
External POC / Exploit Code
Leaving vuln.today