Skip to main content

Linux Kernel CVE-2026-53072

| EUVDEUVD-2026-38940 HIGH
2026-06-24 Linux GHSA-h99j-gm55-rrcw
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

AV:A for Bluetooth proximity; AC:H because exploitation depends on winning a concurrent conn-deletion race; PR:N/UI:N as the remote peer needs no auth, and a kernel UAF yields full C/I/A impact.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:04 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 8.8
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER

When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm() assumes it is held, and if conn is deleted concurrently -> UAF.

Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen, and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred listening socket code paths, hci_connect_cfm(conn) is called with hdev->lock held.

Fix by holding the lock.

AnalysisAI

Use-after-free in the Linux kernel Bluetooth subsystem allows kernel memory corruption when the HCI connection-request handler (hci_conn_request_evt()) invokes hci_connect_cfm() without holding hdev->lock under the HCI_PROTO_DEFER path. An adjacent attacker within Bluetooth range can race a concurrent connection teardown against a deferred-setup SCO listener to free and reuse the conn object, yielding high confidentiality, integrity, and availability impact (CVSS 8.8). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position within Bluetooth range
Delivery
Send HCI connection request to SCO defer listener
Exploit
Race concurrent conn deletion
Execution
Trigger use-after-free in hci_connect_cfm()
Persist
Corrupt kernel memory
Impact
Crash or escalate privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to have an active Bluetooth SCO socket in deferred-setup listen mode (the only path that sets HCI_PROTO_DEFER and is reachable via HCI_EV_CONN_REQUEST - ISO is explicitly excluded because that event is not generated for ISO), and the attacker must be within Bluetooth/adjacent radio range (AV:A) to send the connection request. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should temper the high CVSS base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker within Bluetooth radio range of a target that exposes a SCO listening socket in deferred-setup mode repeatedly initiates and tears down connections to drive HCI_EV_CONN_REQUEST processing while a concurrent path deletes the conn object, racing to make hci_connect_cfm() operate on freed kernel memory. Winning the race corrupts kernel memory, which can crash the host or, with heap grooming, be steered toward privilege escalation. …
Remediation Apply your distribution's updated kernel package; the upstream fix simply takes hdev->lock around the hci_connect_cfm() call in hci_conn_request_evt(). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify and inventory Linux systems with active Bluetooth capability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53072 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy