Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timing-dependent local race on Bluetooth sockets needs local access and a won race, so AV:L/AC:H/PR:L; UAF can yield kernel memory corruption (C/I/A:H).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: serialize accept_q access
bt_sock_poll() walks the accept queue without synchronization, while child teardown can unlink the same socket and drop its last reference. The unsynchronized accept queue walk has existed since the initial Bluetooth import.
Protect accept_q with a dedicated lock for queue updates and polling. Also rework bt_accept_dequeue() to take temporary child references under the queue lock before dropping it and locking the child socket.
AnalysisAI
Use-after-free in the Linux kernel Bluetooth subsystem allows a crafted sequence of socket polling and connection teardown to dereference a freed sock structure, because bt_sock_poll() walks the per-socket accept queue without synchronization while a concurrent child teardown unlinks the same socket and drops its last reference. The flaw has existed since the original Bluetooth import and affects effectively all kernel versions until the fixed stable releases; EPSS is low (0.18%, 7th percentile) and there is no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the Bluetooth subsystem to be present and active and a Bluetooth socket in a listening/accepting state so that the accept_q (accept queue) is populated with child sockets; the attacker must concurrently invoke bt_sock_poll() (via poll/select/epoll on the Bluetooth socket) while a child connection is being torn down, winning the race window in which the socket is unlinked and its last reference dropped. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should temper the headline CVSS 8.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker (or untrusted local process) on a host with the Bluetooth stack active opens a Bluetooth listening socket, then races a poll() loop against rapid child-connection teardown so that bt_sock_poll() dereferences a child sock just as its last reference is freed. By grooming the kernel heap to reclaim the freed object, the attacker turns the use-after-free into kernel memory corruption for denial of service or privilege escalation. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.142, 6.12.92, 6.18.34, or mainline 7.1 (or later) - matching your maintained branch; the fix adds a dedicated lock serializing accept_q updates and polling and takes temporary child references before locking the child socket (see the git.kernel.org/stable/c/ commits, e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit your environment to identify all Linux systems with Bluetooth subsystem enabled; prioritize systems managing critical services or sensitive data. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38721
GHSA-rf7j-4mgx-52c3