Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:A for Bluetooth proximity; AC:H because exploitation depends on winning a concurrent conn-deletion race; PR:N/UI:N as the remote peer needs no auth, and a kernel UAF yields full C/I/A impact.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm() assumes it is held, and if conn is deleted concurrently -> UAF.
Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen, and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred listening socket code paths, hci_connect_cfm(conn) is called with hdev->lock held.
Fix by holding the lock.
AnalysisAI
Use-after-free in the Linux kernel Bluetooth subsystem allows kernel memory corruption when the HCI connection-request handler (hci_conn_request_evt()) invokes hci_connect_cfm() without holding hdev->lock under the HCI_PROTO_DEFER path. An adjacent attacker within Bluetooth range can race a concurrent connection teardown against a deferred-setup SCO listener to free and reuse the conn object, yielding high confidentiality, integrity, and availability impact (CVSS 8.8). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to have an active Bluetooth SCO socket in deferred-setup listen mode (the only path that sets HCI_PROTO_DEFER and is reachable via HCI_EV_CONN_REQUEST - ISO is explicitly excluded because that event is not generated for ISO), and the attacker must be within Bluetooth/adjacent radio range (AV:A) to send the connection request. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should temper the high CVSS base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker within Bluetooth radio range of a target that exposes a SCO listening socket in deferred-setup mode repeatedly initiates and tears down connections to drive HCI_EV_CONN_REQUEST processing while a concurrent path deletes the conn object, racing to make hci_connect_cfm() operate on freed kernel memory. Winning the race corrupts kernel memory, which can crash the host or, with heap grooming, be steered toward privilege escalation. … |
| Remediation | Apply your distribution's updated kernel package; the upstream fix simply takes hdev->lock around the hci_connect_cfm() call in hci_conn_request_evt(). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify and inventory Linux systems with active Bluetooth capability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38940
GHSA-h99j-gm55-rrcw