Skip to main content

Linux Kernel EUVDEUVD-2026-39203

| CVE-2026-53252 MEDIUM
Memory Leak (CWE-401)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-7mrh-gfr7-2p24
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local error-path trigger requires low privileges and Bluetooth module access; only availability is impacted via percpu memory exhaustion.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 17:29 vuln.today
CVSS changed
Jul 08, 2026 - 16:52 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: fix memory leak in error path of hci_alloc_dev()

Early failures in Bluetooth HCI UART configuration leak SRCU percpu memory.

When device initialization fails before hci_register_dev() completes, the HCI_UNREGISTER flag is never set. As a result, when the device reference count reaches zero, bt_host_release() evaluates this flag as false and falls back to a direct kfree(hdev).

Because hci_release_dev() is bypassed, the SRCU struct initialized early in hci_alloc_dev() is never cleaned up, resulting in a leak of percpu memory.

Fix the leak by explicitly calling cleanup_srcu_struct() in the fallback (unregistered) branch of bt_host_release() before freeing the device.

AnalysisAI

Percpu memory leak in the Linux kernel Bluetooth subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering early failures in Bluetooth HCI UART device initialization. Affected kernels spanning stable branches from 5.10 through 6.16-rc4 fail to invoke cleanup_srcu_struct() when hci_register_dev() never completes, causing the SRCU struct allocated early in hci_alloc_dev() to persist indefinitely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain local low-privilege access
Delivery
Load Bluetooth HCI UART kernel module
Exploit
Trigger device initialization failure before hci_register_dev() completes
Install
HCI_UNREGISTER flag left unset
C2
bt_host_release() skips hci_release_dev()
Execute
SRCU percpu memory leaked
Impact
Repeat to exhaust kernel memory
Step 8
System DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires local system access with at least low-privilege user credentials (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-low despite the High availability CVSS sub-score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with shell access on a Linux host with Bluetooth hardware or a virtual Bluetooth adapter repeatedly triggers Bluetooth HCI UART device initialization in a way that causes early failure - for example, by rapidly attaching and detaching a Bluetooth device or inducing probe errors - before hci_register_dev() completes. Each failed initialization cycle leaks SRCU percpu memory. …
Remediation Update the Linux kernel to a fixed stable release: 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 as applicable to the deployment branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39203 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy