Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local low-privilege attacker (AV:L/PR:L); AC:H because triggering the UAF requires winning a narrow concurrency race; kernel UAF yields high C/I/A via likely memory corruption.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer
In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is dropped: bis = iso_pi(sk)->conn->hcon; /* Release the socket before lookups since that requires hci_dev_lock
- which shall not be acquired while holding sock_lock for proper
- ordering.
*/ release_sock(sk); hci_dev_lock(bis->hdev);
During the unlocked window, could a concurrent close() destroy the connection and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory after it is freed, fix this by using the hdev reference which was safely acquired via iso_conn_get_hdev().
AnalysisAI
Local privilege escalation potential via a use-after-free in the Linux kernel's Bluetooth ISO (Isochronous) subsystem affects kernels through 6.19 and related stable trees. In iso_sock_rebind_bc(), the code caches the hci_conn pointer (bis) and then drops the socket lock to acquire hci_dev_lock; a concurrent close() during this unlocked window can destroy the connection and free the bis structure, so the subsequent hci_dev_lock(bis->hdev) dereferences freed memory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access with the ability to create Bluetooth ISO sockets (AF_BLUETOOTH, BTPROTO_ISO) on a host with the Bluetooth subsystem present and loaded, and the affected kernel version. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent and point to a moderate, locally-exploitable issue rather than an urgent internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local unprivileged user on an affected host opens a Bluetooth ISO broadcast socket and invokes the rebind path while a second thread concurrently closes the same connection, racing to free the hci_conn during the lock-release window. Winning the race causes the kernel to dereference the freed object, which a skilled attacker could shape via heap grooming toward kernel memory corruption and privilege escalation. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the kernel.org stable fixes referenced by commits d324b8aa20bd3c3394e3647dc22491d88f3f4e7a and f50331f2a1441ec49988832c3a95f2edacc47322 (https://git.kernel.org/stable/c/d324b8aa20bd3c3394e3647dc22491d88f3f4e7a and https://git.kernel.org/stable/c/f50331f2a1441ec49988832c3a95f2edacc47322), or upgrade to the patched kernel package shipped by your distribution once it incorporates these commits, then reboot. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Linux kernels 6.19 and earlier, prioritizing production servers and systems with user login access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39227
GHSA-h5cp-pgfw-22wh