Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local error-path trigger requires low privileges and Bluetooth module access; only availability is impacted via percpu memory exhaustion.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: fix memory leak in error path of hci_alloc_dev()
Early failures in Bluetooth HCI UART configuration leak SRCU percpu memory.
When device initialization fails before hci_register_dev() completes, the HCI_UNREGISTER flag is never set. As a result, when the device reference count reaches zero, bt_host_release() evaluates this flag as false and falls back to a direct kfree(hdev).
Because hci_release_dev() is bypassed, the SRCU struct initialized early in hci_alloc_dev() is never cleaned up, resulting in a leak of percpu memory.
Fix the leak by explicitly calling cleanup_srcu_struct() in the fallback (unregistered) branch of bt_host_release() before freeing the device.
AnalysisAI
Percpu memory leak in the Linux kernel Bluetooth subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering early failures in Bluetooth HCI UART device initialization. Affected kernels spanning stable branches from 5.10 through 6.16-rc4 fail to invoke cleanup_srcu_struct() when hci_register_dev() never completes, causing the SRCU struct allocated early in hci_alloc_dev() to persist indefinitely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local system access with at least low-privilege user credentials (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-low despite the High availability CVSS sub-score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with shell access on a Linux host with Bluetooth hardware or a virtual Bluetooth adapter repeatedly triggers Bluetooth HCI UART device initialization in a way that causes early failure - for example, by rapidly attaching and detaching a Bluetooth device or inducing probe errors - before hci_register_dev() completes. Each failed initialization cycle leaks SRCU percpu memory. … |
| Remediation | Update the Linux kernel to a fixed stable release: 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 as applicable to the deployment branch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39203
GHSA-7mrh-gfr7-2p24