Skip to main content

Linux Kernel CVE-2026-53276

| EUVDEUVD-2026-39227 HIGH
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h5cp-pgfw-22wh
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local low-privilege attacker (AV:L/PR:L); AC:H because triggering the UAF requires winning a narrow concurrency race; kernel UAF yields high C/I/A via likely memory corruption.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 28, 2026 - 09:52 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer

In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is dropped: bis = iso_pi(sk)->conn->hcon; /* Release the socket before lookups since that requires hci_dev_lock

  • which shall not be acquired while holding sock_lock for proper
  • ordering.

*/ release_sock(sk); hci_dev_lock(bis->hdev);

During the unlocked window, could a concurrent close() destroy the connection and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory after it is freed, fix this by using the hdev reference which was safely acquired via iso_conn_get_hdev().

AnalysisAI

Local privilege escalation potential via a use-after-free in the Linux kernel's Bluetooth ISO (Isochronous) subsystem affects kernels through 6.19 and related stable trees. In iso_sock_rebind_bc(), the code caches the hci_conn pointer (bis) and then drops the socket lock to acquire hci_dev_lock; a concurrent close() during this unlocked window can destroy the connection and free the bis structure, so the subsequent hci_dev_lock(bis->hdev) dereferences freed memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Local user opens Bluetooth ISO socket
Delivery
Trigger iso_sock_rebind_bc rebind path
Exploit
Race concurrent close() during unlocked window
Execution
Free hci_conn (bis) then dereference freed pointer
Persist
Groom kernel heap for controlled UAF
Impact
Corrupt kernel memory for privilege escalation

Vulnerability AssessmentAI

Exploitation Requires local access with the ability to create Bluetooth ISO sockets (AF_BLUETOOTH, BTPROTO_ISO) on a host with the Bluetooth subsystem present and loaded, and the affected kernel version. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent and point to a moderate, locally-exploitable issue rather than an urgent internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local unprivileged user on an affected host opens a Bluetooth ISO broadcast socket and invokes the rebind path while a second thread concurrently closes the same connection, racing to free the hci_conn during the lock-release window. Winning the race causes the kernel to dereference the freed object, which a skilled attacker could shape via heap grooming toward kernel memory corruption and privilege escalation. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the kernel.org stable fixes referenced by commits d324b8aa20bd3c3394e3647dc22491d88f3f4e7a and f50331f2a1441ec49988832c3a95f2edacc47322 (https://git.kernel.org/stable/c/d324b8aa20bd3c3394e3647dc22491d88f3f4e7a and https://git.kernel.org/stable/c/f50331f2a1441ec49988832c3a95f2edacc47322), or upgrade to the patched kernel package shipped by your distribution once it incorporates these commits, then reboot. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Linux kernels 6.19 and earlier, prioritizing production servers and systems with user login access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy