Lucene search
K

67 matches found

Cvelist
Cvelist
added 2026/06/30 4:1 p.m.37 views

CVE-2026-9263 Out-of-bounds read in Bluetooth Controller ISOAL framed RX reassembly leaks adjacent memory into host HCI ISO packets

The Zephyr Bluetooth controller ISO Adaptation Layer subsys/bluetooth/controller/llsw/isoal.c fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment sc=0 always carries a 3-byte timeoffset, so its segment-header len must be at least...

6.5CVSS0.00201EPSS
Exploits1References2
NVD
NVD
added 2026/06/25 9:16 a.m.11 views

CVE-2026-53276

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hciconn pointer In isosockrebindbc, the bis pointer is cached, then the socket lock is dropped: bis = isopisk-conn-hcon; / Release the socket before lookups since that requires hcidevlo...

7.8CVSS0.0012EPSS
Exploits0References2
NVD
NVD
added 2026/06/25 9:16 a.m.8 views

CVE-2026-53251

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix not releasing hdev reference on isoconnbigsync hcigetroute returns a reference-counted hcidev pointer via hcidevhold. The function exits normally or with an error without ever releasing it...

5.5CVSS0.00127EPSS
Exploits0References4
OSV
OSV
added 2026/06/25 9:16 a.m.8 views

UBUNTU-CVE-2026-53276

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hciconn pointer In isosockrebindbc, the bis pointer is cached, then the socket lock is dropped: bis = isopisk-conn-hcon; / Release the socket before lookups since that requires hcidevlo...

7.8CVSS5.7AI score0.0012EPSS
Exploits0References5
OSV
OSV
added 2026/06/25 9:16 a.m.3 views

UBUNTU-CVE-2026-53251

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix not releasing hdev reference on isoconnbigsync hcigetroute returns a reference-counted hcidev pointer via hcidevhold. The function exits normally or with an error without ever releasing it...

5.7CVSS5.7AI score0.00127EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/25 8:39 a.m.7 views

EUVD-2026-39227

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hciconn pointer In isosockrebindbc, the bis pointer is cached, then the socket lock is dropped: bis = isopisk-conn-hcon; / Release the socket before lookups since that requires hcidevlo...

5.7AI score0.0012EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/06/25 8:39 a.m.8 views

CVE-2026-53276

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hciconn pointer In isosockrebindbc, the bis pointer is cached, then the socket lock is dropped: bis = isopisk-conn-hcon; / Release the socket before lookups since that requires hcidevlo...

7.8CVSS5.6AI score0.0012EPSS
Exploits0
OSV
OSV
added 2026/06/25 8:39 a.m.3 views

CVE-2026-53276 Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hciconn pointer In isosockrebindbc, the bis pointer is cached, then the socket lock is dropped: bis = isopisk-conn-hcon; / Release the socket before lookups since that requires hcidevlo...

7.8CVSS5.8AI score0.0012EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/25 8:39 a.m.7 views

CVE-2026-53251

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix not releasing hdev reference on isoconnbigsync hcigetroute returns a reference-counted hcidev pointer via hcidevhold. The function exits normally or with an error without ever releasing it...

5.7AI score0.00127EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/06/23 1:16 a.m.4 views

UBUNTU-CVE-2026-10658

A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In btisorecv subsys/bluetooth/host/iso.c, when processing PB=START/SINGLE fragments, the code pulls a TS SDU header 8 bytes, ts=1 or a non-TS SDU header 4 bytes, ts=0 without firs...

7.1CVSS5.9AI score0.00163EPSS
Exploits0References3
CVE
CVE
added 2026/06/22 11:58 p.m.23 views

CVE-2026-10658

CVE-2026-10658 affects Zephyr’s Bluetooth Host ISO RX path, specifically bt_iso_recv() in subsys/bluetooth/host/iso.c. The vulnerability arises from missing minimum length checks for SDU headers when processing PB=START/SINGLE, allowing a malformed HCI ISO payload to bypass the inner header lengt...

7.1CVSS6.1AI score0.00163EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/22 11:58 p.m.4 views

CVE-2026-10658 Out-of-bounds access in Bluetooth ISO receive (`bt_iso_recv`) due to missing SDU-header length validation

btisorecv in subsys/bluetooth/host/iso.c pulled the ISO SDU header 4 bytes or, when the timestamp flag is set, the timestamped SDU header 8 bytes from the inbound HCI ISO Data buffer via netbufpullmem without first checking buf-len. The upstream hciiso handler enforces buf-len == the...

7.1CVSS6.2AI score0.00163EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/22 11:58 p.m.42 views

CVE-2026-10658 Out-of-bounds access in Bluetooth ISO receive (`bt_iso_recv`) due to missing SDU-header length validation

btisorecv in subsys/bluetooth/host/iso.c pulled the ISO SDU header 4 bytes or, when the timestamp flag is set, the timestamped SDU header 8 bytes from the inbound HCI ISO Data buffer via netbufpullmem without first checking buf-len. The upstream hciiso handler enforces buf-len == the...

7.1CVSS0.00163EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1

In the Linux kernel, the following vulnerabilities have been resolved: Bluetooth: ISO: Fixed issues related to locking and validity checks for isoconn. sk-skstate indicates whether isopisk-conn is valid. Operations that check or update skstate and access conn should hold locksock; otherwise, they...

5.9AI score0.00166EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/03/03 9:29 a.m.3 views

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fixed a potential UAF Uninitialized Address Fault in isoconnfree. This fix addresses a similar issue to scoconnfree, where if conn-sk is not set to NULL, it may lead to a UAF in isoconnfree...

6.6AI score0.00197EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/02/27 12:0 a.m.8 views

RockyLinux 10 : kernel (RLSA-2026:2721)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:2721 advisory. kernel: ntbhwswitchtec: Fix shift-out-of-bounds in switchtecntbmwsettrans CVE-2023-53034 kernel: Linux kernel erofs: Use-After-Free due to device type...

7.8CVSS7.3AI score0.0071EPSS
Exploits0References15
Tenable Nessus
Tenable Nessus
added 2026/02/26 12:0 a.m.8 views

AlmaLinux 10 : kernel (ALSA-2026:2721)

The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:2721 advisory. kernel: ntbhwswitchtec: Fix shift-out-of-bounds in switchtecntbmwsettrans CVE-2023-53034 kernel: Linux kernel erofs: Use-After-Free due to device type...

7.8CVSS6.1AI score0.0071EPSS
Exploits0References9
OSV
OSV
added 2026/02/24 6:56 p.m.11 views

RLSA-2026:2721 Moderate: kernel security update

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fixes: kernel: ntbhwswitchtec: Fix shift-out-of-bounds in switchtecntbmwsettrans CVE-2023-53034 kernel: Linux kernel erofs: Use-After-Free due to device type mismatch CVE-2025-38172 kernel: smc: Fix...

7.5CVSS8.2AI score0.0071EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 2026/02/16 12:13 p.m.19 views

Moderate: Red Hat Security Advisory: kernel security update

An update for kernel is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...

7.8CVSS6.7AI score0.0071EPSS
Exploits0References8
OSV
OSV
added 2026/02/16 10:56 a.m.53 views

CLSA-2026-1771239384 kernel: Fix of 75 CVEs

net/sched: Make cakeenqueue return NETXMITCN when past bufferlimit CVE-2025-39766 - NFSD: Avoid calling OPDESC with ops-opnum == OPILLEGAL CVE-2023-53680 - scsi: target: iscsi: Fix buffer overflow in liotargetnaclinfoshow CVE-2023-53676 - KVM: x86: use arrayindexnospec with indices that come from...

7.8CVSS7AI score0.00519EPSS
Exploits3References1
Rows per page
Query Builder