Skip to main content

Linux Kernel EUVDEUVD-2026-32438

| CVE-2026-46056 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-v6c2-56h6-9pgq
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.1 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:42 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
8.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: fix potential UAF in SSP passkey handlers

hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently.

Extend the hci_dev_lock critical section to cover all conn usage in both handlers.

Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path.

AnalysisAI

Use-after-free in the Linux kernel Bluetooth subsystem (hci_event) allows an adjacent attacker within Bluetooth range to potentially achieve memory corruption against vulnerable hosts during SSP pairing. The flaw stems from missing hdev locking in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), where an hci_conn structure can be freed concurrently while still in use. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).

Technical ContextAI

The bug lives in the Bluetooth HCI (Host Controller Interface) event handling layer of the Linux kernel, specifically in the Secure Simple Pairing (SSP) passkey and keypress notification handlers within net/bluetooth/hci_event.c. These handlers perform hci_conn lookups and access fields on the returned connection object, but the original code did not hold hci_dev_lock across the entire conn usage path, creating a race window where another kernel thread could free the connection. This is a classic concurrency-induced use-after-free (CWE-416 class) where the fix extends the hci_dev_lock critical section to cover all conn dereferences and routes early exits through a unified unlock path to preserve existing keypress notification semantics.

RemediationAI

Upstream fix available via the stable kernel commits listed above; upgrade to a patched stable release - Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 or later - depending on which branch your distribution tracks. For systems that cannot be patched immediately, the most effective compensating control is to disable the Bluetooth stack entirely (rmmod btusb bluetooth or systemctl disable --now bluetooth.service), which eliminates the attack surface at the cost of losing Bluetooth peripherals. If Bluetooth must remain enabled, restrict pairing by keeping the adapter non-discoverable (bluetoothctl discoverable off) and avoid initiating SSP pairing in untrusted RF environments such as conferences or public spaces; this reduces but does not eliminate the race window. Track distro advisories via the kernel.org commit URLs in the NVD references for backport availability.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32438 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy