HIGH
bluetooth HCI Connection UAF
CVE-2026-43018
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt hci_conn lookup and field access must be covered by hdev lock in hci_le_remote_conn_param_req_evt, otherwise it's possible it is freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage.
02KernelScan AI Analysis
Risk summary
An attacker with local access and Bluetooth capabilities could potentially trigger memory corruption by exploiting race conditions in Bluetooth connection parameter handling, possibly leading to privilege escalation or system crashes.
Vulnerability analysis
Summary: Use-after-free vulnerability in Bluetooth HCI event handling due to insufficient locking around connection object access.
Root Cause: The hci_le_remote_conn_param_req_evt function performs hci_conn lookup and accesses connection fields without holding the hdev lock for the entire duration. This creates a race condition where the connection object can be freed by another thread between the lookup and field access, leading to use-after-free.
Attack Surface: Local attack surface requiring Bluetooth hardware and the ability to send crafted Bluetooth LE connection parameter request events. Attackers need to trigger concurrent connection cleanup while the vulnerable function is processing connection parameters.
Fix Mechanism: The patch extends the hci_dev_lock critical section to cover all connection object usage, ensuring atomic access to the connection structure and preventing concurrent freeing during parameter processing.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.168 | 59eecf0ffde1 |
| 6.12 | 6.12.81 | 7cadb03be37e |
| 6.18 | 6.18.22 | 1d0bdbfe3e91 |
| 6.19 | 6.19.12 | ea3cd36d7382 |
| 6.6 | 6.6.134 | 5fb69e1eeea9 |
| mainline | 7.0 | b255531b27da |