CVE-2026-53276

Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer

Assigner: Linux
Reserved: 09.06.2026 Published: 25.06.2026 Updated: 25.06.2026

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer

In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is dropped: bis = iso_pi(sk)->conn->hcon; / Release the socket before lookups since that requires hci_dev_lock * which shall not be acquired while holding sock_lock for proper * ordering. / release_sock(sk); hci_dev_lock(bis->hdev);

During the unlocked window, could a concurrent close() destroy the connection and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory after it is freed, fix this by using the hdev reference which was safely acquired via iso_conn_get_hdev().

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from d3413703d5f8b7d1e6f514f9440ed5da1bc30796 to d324b8aa20bd3c3394e3647dc22491d88f3f4e7a (excl.) affected from d3413703d5f8b7d1e6f514f9440ed5da1bc30796 to f50331f2a1441ec49988832c3a95f2edacc47322 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from d3413703d5f8b7d1e6f514f9440ed5da1bc30796 to d324b8aa20bd3c3394e3647dc22491d88f3f4e7a (excl.)
affected from d3413703d5f8b7d1e6f514f9440ed5da1bc30796 to f50331f2a1441ec49988832c3a95f2edacc47322 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 6.19 is affected unaffected from 0 to 6.19 (excl.) unaffected from 7.0.13 to 7.0.* (incl.) unaffected from 7.1 to * (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

Version 6.19 is affected
unaffected from 0 to 6.19 (excl.)
unaffected from 7.0.13 to 7.0.* (incl.)
unaffected from 7.1 to * (incl.)

References

CVE-2026-53276 PUBLISHED

Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer

Product Status

References