Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Adjacent Bluetooth vector (AV:A); race condition makes it high-complexity (AC:H); a local listener socket must exist so PR:L; kernel UAF yields high C/I/A.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
rfcomm_get_sock_by_channel() scans rfcomm_sk_list under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcomm_connect_ind() then locks the listener, queues a child socket on it, and may notify it after unlocking it.
The buggy scenario involves two paths, with each column showing the order within that path:
rfcomm_connect_ind(): listener close:
- Find parent in 1. close() enters
rfcomm_get_sock_by_channel() rfcomm_sock_release().
- Drop rfcomm_sk_list.lock 2. rfcomm_sock_shutdown()
without pinning parent. closes the listener.
- Call lock_sock(parent) and 3. rfcomm_sock_kill()
bt_accept_enqueue(parent, unlinks and puts parent. sk, true).
- Read parent flags and may 4. parent can be freed.
call sk_state_change().
If close wins the race, parent can be freed before rfcomm_connect_ind() reaches lock_sock(), bt_accept_enqueue(), or the deferred-setup callback.
Take a reference on the listener before leaving rfcomm_sk_list.lock. After lock_sock() succeeds, recheck that it is still in BT_LISTEN before queueing a child, cache the deferred-setup bit while the parent is locked, and drop the reference after the last parent use.
KASAN reported a slab-use-after-free in lock_sock_nested() from rfcomm_connect_ind(), with the freeing stack going through rfcomm_sock_kill() and rfcomm_sock_release().
AnalysisAI
Use-after-free in the Linux kernel's Bluetooth RFCOMM subsystem allows an attacker within Bluetooth range to corrupt kernel memory by racing an incoming RFCOMM connection against the close of a listener socket. The flaw lives in rfcomm_connect_ind(), which uses a listener socket returned by rfcomm_get_sock_by_channel() after the protecting list lock is dropped and without taking a reference, so a concurrent rfcomm_sock_release() can free the parent socket before it is locked and a child is enqueued. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires Bluetooth to be enabled on the target and an RFCOMM service actively bound to a channel in BT_LISTEN state, plus the attacker being within Bluetooth (adjacent) range to issue an incoming RFCOMM connection that triggers rfcomm_connect_ind(). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.0) marks this adjacent-network, low-complexity, low-privilege with full CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker within Bluetooth range repeatedly initiates RFCOMM connections to a target that is opening and closing an RFCOMM listening socket (for example a phone or laptop cycling an SPP/handsfree service), aiming to land an inbound connect in the moment the listener is being torn down. Winning the race causes rfcomm_connect_ind() to operate on a freed parent socket, producing a kernel slab use-after-free that most reliably crashes the system and could potentially be groomed toward memory corruption. … |
| Remediation | Apply the vendor-released kernel patch for your branch: upgrade to at least 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or the equivalent distribution-backported package), which adds a sock_hold() on the listener before leaving rfcomm_sk_list.lock, rechecks BT_LISTEN under lock_sock(), caches the deferred-setup bit while the parent is locked, and drops the reference after the last use. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: audit Linux systems with Bluetooth RFCOMM enabled, prioritizing production servers and critical infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39207
GHSA-hq32-rppj-r4rv