Home

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is dropped: bis = iso_pi(sk)->conn->hcon; /* Release the socket before lookups since that requires hci_dev_lock * which shall not be acquired while holding sock_lock for proper * ordering. */ release_sock(sk); hci_dev_lock(bis->hdev); During the unlocked window, could a concurrent close() destroy the connection and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory after it is freed, fix this by using the hdev reference which was safely acquired via iso_conn_get_hdev().

PUBLISHED Reserved 2026-06-09 | Published 2026-06-25 | Updated 2026-06-25 | Assigner Linux

Product status

Default status
unaffected

d3413703d5f8b7d1e6f514f9440ed5da1bc30796 (git) before d324b8aa20bd3c3394e3647dc22491d88f3f4e7a
affected

d3413703d5f8b7d1e6f514f9440ed5da1bc30796 (git) before f50331f2a1441ec49988832c3a95f2edacc47322
affected

Default status
affected

6.19
affected

Any version before 6.19
unaffected

7.0.13 (semver)
unaffected

7.1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/d324b8aa20bd3c3394e3647dc22491d88f3f4e7a

git.kernel.org/...c/f50331f2a1441ec49988832c3a95f2edacc47322

cve.org (CVE-2026-53276)

nvd.nist.gov (CVE-2026-53276)

Download JSON