CVE-2026-43019 PUBLISHED

Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

Assigner: Linux
Reserved: 01.05.2026 Published: 01.05.2026 Updated: 01.05.2026

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

hci_conn lookup and field access must be covered by hdev lock in set_cig_params_sync, otherwise it's possible it is freed concurrently.

Take hdev lock to prevent hci_conn from being deleted or modified concurrently. Just RCU lock is not suitable here, as we also want to avoid "tearing" in the configuration.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from a091289218202bc09d9b9caa8afcde1018584aec to 66d432e9b45bae7881ffcdb12cd8fd0bf254ef02 (excl.) affected from a091289218202bc09d9b9caa8afcde1018584aec to 7d568fede8eac91161a60b710aa920abe9b0fb9f (excl.) affected from a091289218202bc09d9b9caa8afcde1018584aec to bad65b4b0a96139f023eadc28a33125963208449 (excl.) affected from a091289218202bc09d9b9caa8afcde1018584aec to a2639a7f0f5bf7d73f337f8f077c19415c62ed2c (excl.) Version 3a273cd0f47dd672d37736e623849374f9ab9ce9 is affected Version d8570c4c3f2a3e51b3c8b5e6ec898364c5c03062 is affected

Vendor	Linux
Product	Linux
Versions	Default: affected Version 6.6 is affected unaffected from 0 to 6.6 (excl.) unaffected from 6.12.81 to 6.12.* (incl.) unaffected from 6.18.22 to 6.18.* (incl.) unaffected from 6.19.12 to 6.19.* (incl.) unaffected from 7.0 to * (incl.)

CVE-2026-43019 PUBLISHED

Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

Product Status

References