Skip to main content

Linux Kernel EUVDEUVD-2026-39207

| CVE-2026-53256 HIGH
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-hq32-rppj-r4rv
8.0
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.0 HIGH
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.1 HIGH

Adjacent Bluetooth vector (AV:A); race condition makes it high-complexity (AC:H); a local listener socket must exist so PR:L; kernel UAF yields high C/I/A.

3.1 AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:46 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.0 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.0
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()

rfcomm_get_sock_by_channel() scans rfcomm_sk_list under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcomm_connect_ind() then locks the listener, queues a child socket on it, and may notify it after unlocking it.

The buggy scenario involves two paths, with each column showing the order within that path:

rfcomm_connect_ind(): listener close:

  1. Find parent in 1. close() enters

rfcomm_get_sock_by_channel() rfcomm_sock_release().

  1. Drop rfcomm_sk_list.lock 2. rfcomm_sock_shutdown()

without pinning parent. closes the listener.

  1. Call lock_sock(parent) and 3. rfcomm_sock_kill()

bt_accept_enqueue(parent, unlinks and puts parent. sk, true).

  1. Read parent flags and may 4. parent can be freed.

call sk_state_change().

If close wins the race, parent can be freed before rfcomm_connect_ind() reaches lock_sock(), bt_accept_enqueue(), or the deferred-setup callback.

Take a reference on the listener before leaving rfcomm_sk_list.lock. After lock_sock() succeeds, recheck that it is still in BT_LISTEN before queueing a child, cache the deferred-setup bit while the parent is locked, and drop the reference after the last parent use.

KASAN reported a slab-use-after-free in lock_sock_nested() from rfcomm_connect_ind(), with the freeing stack going through rfcomm_sock_kill() and rfcomm_sock_release().

AnalysisAI

Use-after-free in the Linux kernel's Bluetooth RFCOMM subsystem allows an attacker within Bluetooth range to corrupt kernel memory by racing an incoming RFCOMM connection against the close of a listener socket. The flaw lives in rfcomm_connect_ind(), which uses a listener socket returned by rfcomm_get_sock_by_channel() after the protecting list lock is dropped and without taking a reference, so a concurrent rfcomm_sock_release() can free the parent socket before it is locked and a child is enqueued. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position within Bluetooth range of target
Delivery
Initiate RFCOMM connection to listening channel
Exploit
Race connect against listener close()
Execution
Trigger use-after-free in rfcomm_connect_ind()
Persist
Dereference freed listener socket
Impact
Kernel memory corruption / system crash

Vulnerability AssessmentAI

Exploitation Exploitation requires Bluetooth to be enabled on the target and an RFCOMM service actively bound to a channel in BT_LISTEN state, plus the attacker being within Bluetooth (adjacent) range to issue an incoming RFCOMM connection that triggers rfcomm_connect_ind(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.0) marks this adjacent-network, low-complexity, low-privilege with full CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker within Bluetooth range repeatedly initiates RFCOMM connections to a target that is opening and closing an RFCOMM listening socket (for example a phone or laptop cycling an SPP/handsfree service), aiming to land an inbound connect in the moment the listener is being torn down. Winning the race causes rfcomm_connect_ind() to operate on a freed parent socket, producing a kernel slab use-after-free that most reliably crashes the system and could potentially be groomed toward memory corruption. …
Remediation Apply the vendor-released kernel patch for your branch: upgrade to at least 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or the equivalent distribution-backported package), which adds a sock_hold() on the listener before leaving rfcomm_sk_list.lock, rechecks BT_LISTEN under lock_sock(), caches the deferred-setup bit while the parent is locked, and drops the reference after the last use. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit Linux systems with Bluetooth RFCOMM enabled, prioritizing production servers and critical infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39207 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy