Skip to main content

Linux Kernel EUVDEUVD-2026-26618

| CVE-2026-43019 HIGH
Use After Free (CWE-416)
2026-05-01 Linux
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:34 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26618
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

hci_conn lookup and field access must be covered by hdev lock in set_cig_params_sync, otherwise it's possible it is freed concurrently.

Take hdev lock to prevent hci_conn from being deleted or modified concurrently. Just RCU lock is not suitable here, as we also want to avoid "tearing" in the configuration.

AnalysisAI

Use-after-free in Linux kernel Bluetooth subsystem allows local authenticated attackers to achieve arbitrary code execution with high privileges. The vulnerability exists in set_cig_params_sync where hci_conn objects can be freed or modified concurrently during lookup and field access due to inadequate locking. Vendor patches are available across multiple stable kernel branches (6.6, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, no CISA KEV listing, and no public exploit identified at time of analysis.

Technical ContextAI

This is a use-after-free (UAF) vulnerability in the Linux kernel's Bluetooth Host Controller Interface (HCI) connection management code. The set_cig_params_sync function performs lookups and accesses fields on hci_conn objects (representing Bluetooth connections) without adequate mutex protection. The code previously relied only on RCU (Read-Copy-Update) locking, which prevents memory from being freed during read operations but does not prevent concurrent modifications to object fields. In multi-threaded scenarios, one thread can free or modify an hci_conn structure while set_cig_params_sync is actively using it, leading to memory corruption. The CIG (Connected Isochronous Group) parameters are part of Bluetooth Low Energy Audio functionality introduced in recent kernel versions. The fix enforces proper hdev (HCI device) mutex locking to serialize access and prevent both premature deallocation and configuration tearing during concurrent operations.

RemediationAI

Upgrade to patched kernel versions: 6.6.x (latest stable), 6.12.81 or later, 6.18.22 or later, 6.19.12 or later, or 7.0 or later depending on your distribution's kernel branch. Patches available from https://git.kernel.org/stable/c/a2639a7f0f5bf7d73f337f8f077c19415c62ed2c and related commits. For systems unable to immediately patch, disable Bluetooth LE Audio functionality by blacklisting the iso_socket kernel module (modprobe -r iso_socket; echo 'blacklist iso_socket' >> /etc/modprobe.d/bluetooth-disable.conf) which prevents CIG parameter operations entirely but breaks LE Audio device support. Alternatively, restrict access to /dev/hci* devices to root only (chmod 600 /dev/hci*) and remove non-root users from bluetooth group, though this breaks userspace Bluetooth for unprivileged applications. These workarounds significantly reduce attack surface but may impact legitimate Bluetooth functionality. Systems without Bluetooth hardware or with Bluetooth disabled in BIOS are not affected.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26618 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy