HIGH
bluetooth HciConn UAF
CVE-2026-43019
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync hci_conn lookup and field access must be covered by hdev lock in set_cig_params_sync, otherwise it's possible it is freed concurrently. Take hdev lock to prevent hci_conn from being deleted or modified concurrently. Just RCU lock is not suitable here, as we also want to avoid "tearing" in the configuration.
02KernelScan AI Analysis
Risk summary
An attacker with local access to a system with Bluetooth enabled could potentially trigger a use-after-free condition in the kernel's Bluetooth stack. This could lead to kernel crashes, memory corruption, or potentially privilege escalation if exploited successfully.
Vulnerability analysis
Summary: Use-after-free vulnerability in Bluetooth HCI connection handling during CIG parameter configuration
Root Cause: The set_cig_params_sync function performs hci_conn lookup and field access without proper locking protection. The hci_conn structure can be freed concurrently by other threads while this function is accessing its fields, leading to a use-after-free condition.
Attack Surface: Local attack surface requiring Bluetooth functionality to be enabled. An attacker would need to trigger concurrent operations on Bluetooth HCI connections to race the connection cleanup with parameter configuration.
Fix Mechanism: The patch adds hci_dev_lock(hdev) around the critical section where hci_conn is looked up and its fields are accessed. This prevents concurrent deletion or modification of the hci_conn structure during the configuration process. The lock is properly released on both success and error paths.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.81 | bad65b4b0a96 |
| 6.18 | 6.18.22 | a2639a7f0f5b |
| 6.19 | 6.19.12 | — |
| 6.5 | 6.5 | 66d432e9b45b |
| 6.6 | 6.6 | 7d568fede8ea |
| mainline | 7.0 | — |