Skip to main content

Linux Kernel EUVDEUVD-2026-32870

| CVE-2026-46111 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-926m-qfg2-2w89
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:49 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_conn: fix potential UAF in create_big_sync

Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().

Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().

hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.

Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().

AnalysisAI

Local privilege escalation potential in the Linux kernel Bluetooth subsystem (hci_conn) stems from a use-after-free in create_big_sync() when a Broadcast Isochronous Group (BIG) creation races against connection teardown. A local low-privileged attacker on a system with active Bluetooth LE Audio operations could trigger the freed hci_conn dereference through hci_connect_cfm()/hci_conn_del(), enabling memory corruption with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile), reflecting limited weaponization despite the CVSS 7.8 rating.

Technical ContextAI

The flaw lives in net/bluetooth/hci_conn.c within the Linux kernel's HCI (Host Controller Interface) layer that manages Bluetooth Low Energy Isochronous Channels - specifically the BIG (Broadcast Isochronous Group) creation path used by LE Audio and Auracast broadcast features. create_big_sync() is queued asynchronously via the hci_sync workqueue and could previously execute against an hci_conn object that had already been torn down on another path, because no refcount was held across the async boundary and no validity check was performed before dereference. The fix introduces an hci_conn_valid() guard, takes an hci_conn_get() reference when queueing, drops it after the completion callback returns, and re-validates under hci_dev_lock() - mirroring the existing safer pattern in create_le_conn_complete() and create_pa_complete(). The root cause class is a classic use-after-free (CWE-416, though the CVE record lists CWE as N/A), specifically a TOCTOU/lifetime-management bug across an asynchronous boundary.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 6.6.140, 6.12.90, 6.18.32, 7.0.7, or 7.1-rc3 (or any later release in those stable trees), or apply the upstream commits referenced above (0beddb0c, 1750a2df, 6823f730, dc34f8d8, f8eaf92c) and rebuild. For distribution-managed systems, install the vendor kernel update once your distribution backports one of those commits and reboot. If immediate patching is not possible, the most effective compensating control is to disable the Bluetooth stack entirely (rmmod bluetooth btusb or blacklist via /etc/modprobe.d/) - this fully closes the attack surface but breaks all Bluetooth functionality including LE Audio, keyboards, mice, and headsets. A narrower mitigation is to restrict CAP_NET_ADMIN and access to /dev/rfkill and the Bluetooth management socket to trusted users only, since the bug requires the ability to initiate BIG creation; this reduces exposure on multi-user systems without fully disabling Bluetooth. Generic kernel hardening (KASLR, SMAP/SMEP, CONFIG_SLAB_FREELIST_RANDOM, CONFIG_RANDOM_KMALLOC_CACHES) raises the cost of turning the UAF into reliable code execution but does not eliminate the bug.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32870 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy