HIGH
bluetooth SSP UAF
CVE-2026-46056
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage in both handlers. Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path.
02KernelScan AI Analysis
Risk summary
A race condition in Bluetooth SSP passkey event handlers causes use-after-free when hci_conn objects are freed concurrently with field access. Affects systems with Bluetooth enabled during pairing operations. Exploitable via Bluetooth protocol by an attacker in physical proximity, leading to kernel memory corruption, information disclosure, or denial of service.
Vulnerability analysis
The vulnerability occurs in hci_user_passkey_notify_evt() and hci_keypress_notify_evt() where hci_conn lookup and subsequent field access (conn->passkey_notify, conn->passkey_entered, conn->dst, conn->type, conn->dst_type) are not protected by hdev lock. A connection object can be freed by another thread between the hci_conn_hash_lookup_ba() and field access, creating a classic use-after-free. The fix extends hci_dev_lock to cover all connection usage and adds common unlock paths for early exits. The UAF is on a heap-allocated hci_conn object; exploitation enables both information disclosure (reading freed heap/slab data) and memory corruption (writing to freed object fields or management notification callbacks). Attack vector is Adjacent (Bluetooth radio range), not Local — the attacker need not have local system access, only physical proximity to initiate Bluetooth pairing.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.175 | b6ae482f8865 |
| 6.12 | 6.12.86 | 01a6431766c3 |
| 6.18 | 6.18.27 | e08d75753db1 |
| 6.6 | 6.6.140 | 204028af77a2 |
| 7.0 | 7.0.4 | 8c6443bb9257 |
| mainline | 7.1-rc1 | 85fa35120487 |