Skip to main content

Linux Kernel CVE-2026-52918

| EUVDEUVD-2026-38721 HIGH
2026-06-24 Linux GHSA-rf7j-4mgx-52c3
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Timing-dependent local race on Bluetooth sockets needs local access and a won race, so AV:L/AC:H/PR:L; UAF can yield kernel memory corruption (C/I/A:H).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:22 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 07:14 cve.org
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: serialize accept_q access

bt_sock_poll() walks the accept queue without synchronization, while child teardown can unlink the same socket and drop its last reference. The unsynchronized accept queue walk has existed since the initial Bluetooth import.

Protect accept_q with a dedicated lock for queue updates and polling. Also rework bt_accept_dequeue() to take temporary child references under the queue lock before dropping it and locking the child socket.

AnalysisAI

Use-after-free in the Linux kernel Bluetooth subsystem allows a crafted sequence of socket polling and connection teardown to dereference a freed sock structure, because bt_sock_poll() walks the per-socket accept queue without synchronization while a concurrent child teardown unlinks the same socket and drops its last reference. The flaw has existed since the original Bluetooth import and affects effectively all kernel versions until the fixed stable releases; EPSS is low (0.18%, 7th percentile) and there is no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local execution on Bluetooth-enabled host
Delivery
Open Bluetooth listening socket
Exploit
Race poll() against child teardown
Execution
Trigger use-after-free on freed sock
Persist
Groom heap to reclaim object
Impact
Corrupt kernel memory for DoS/privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires the Bluetooth subsystem to be present and active and a Bluetooth socket in a listening/accepting state so that the accept_q (accept queue) is populated with child sockets; the attacker must concurrently invoke bt_sock_poll() (via poll/select/epoll on the Bluetooth socket) while a child connection is being torn down, winning the race window in which the socket is unlinked and its last reference dropped. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should temper the headline CVSS 8.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker (or untrusted local process) on a host with the Bluetooth stack active opens a Bluetooth listening socket, then races a poll() loop against rapid child-connection teardown so that bt_sock_poll() dereferences a child sock just as its last reference is freed. By grooming the kernel heap to reclaim the freed object, the attacker turns the use-after-free into kernel memory corruption for denial of service or privilege escalation. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.142, 6.12.92, 6.18.34, or mainline 7.1 (or later) - matching your maintained branch; the fix adds a dedicated lock serializing accept_q updates and polling and takes temporary child references before locking the child socket (see the git.kernel.org/stable/c/ commits, e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit your environment to identify all Linux systems with Bluetooth subsystem enabled; prioritize systems managing critical services or sensitive data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52918 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy