372 matches found
kernel: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
A flaw was found in the Linux kernel's Bluetooth SCO Synchronous Connection-Oriented protocol implementation. The scorecvframe function fails to properly hold a reference to a socket after releasing a lock. This oversight allows a concurrent operation to free the socket while it is still being...
kernel: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
A flaw was found in the Linux kernel's Bluetooth SCO Synchronous Connection-Oriented protocol implementation. The scorecvframe function fails to properly hold a reference to a socket after releasing a lock. This oversight allows a concurrent operation to free the socket while it is still being...
CVE-2026-53358
A flaw was found in the Linux kernel's Bluetooth L2CAP Logical Link Control and Adaptation Protocol implementation. This vulnerability arises from an incorrect order of acquiring locks during channel cleanup, which could lead to a race condition. This issue could potentially cause instability or...
CVE-2026-53358
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: use chan timer to close channels in cleanuplisten l2capchanclose removes the channel from conn-chanl, which must be done under conn-lock. cleanuplisten runs under the parent sklock, so acquiring conn-lock would...
CVE-2026-53071
A flaw was found in the Linux kernel's Bluetooth Logical Link Control and Adaptation Protocol L2CAP implementation. A remote Bluetooth Low Energy BLE device can exploit this by sending a specially crafted L2CAP ECRED reconfiguration response. This can lead to the corruption of the channel list,...
CVE-2026-53256 Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in rfcommconnectind rfcommgetsockbychannel scans rfcommsklist under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcommconnectind th...
CVE-2026-53254 Bluetooth: RFCOMM: validate skb length in MCC handlers
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: validate skb length in MCC handlers The RFCOMM MCC handlers cast skb-data to protocol-specific structs without validating skb-len first. A malicious remote device can send truncated MCC frames and trigger...
CVE-2026-53208
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig net/bluetooth/l2capcore.c:l2capsigchannel accepts BR/EDR signaling packets up to the channel MTU and dispatches each command without enforcing the signaling MTU MTUsig...
PT-2026-52351
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A slab-use-after-free issue exists in the Bluetooth RFCOMM implementation. The function rfcomm get sock by channel scans the rfcomm sk list under a list lock but returns the selected...
CVE-2026-53073
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcildisc: Clear HCIUARTPROTOINIT on error When hciregisterdev fails in hciuartregisterdev HCIUARTPROTOINIT is not cleared before calling hu-proto-closehu and setting hu-hdev to NULL. This means incoming UART data will...
CVE-2026-53072
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix locking in hciconnrequestevt with HCIPROTODEFER When protocol sets HCIPROTODEFER, hciconnrequestevt calls hciconnectcfmconn without hdev-lock. Generally hciconnectcfm assumes it is held, and if conn is deleted...
EUVD-2026-38941
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcildisc: Clear HCIUARTPROTOINIT on error When hciregisterdev fails in hciuartregisterdev HCIUARTPROTOINIT is not cleared before calling hu-proto-closehu and setting hu-hdev to NULL. This means incoming UART data will...
CVE-2026-53071 Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Add missing chan lock in l2capecredreconfrsp l2capecredreconfrsp calls l2capchandel without holding l2capchanlock. Every other l2capchandel caller in the file acquires the lock first. A remote BLE device can sen...
CVE-2026-53071
CVE-2026-53071 concerns the Linux kernel Bluetooth L2CAP implementation. The flaw arises when l2cap_ecred_reconf_rsp() deletes a channel without holding l2cap_chan_lock(), unlike other callers which acquire the lock first. This can allow a remote BLE device to corrupt the channel list while anoth...
Astra Linux – Vulnerability found in Linux 6.12, Linux 6.1
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receives data only if registered Currently, the bcsprecv function can still be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack...
CVE-2026-5068 bt: l2cap le coc: remote oob write via seg counter stored in net_buf user_data
A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation via chanops.allocbuf and the chosen RX pool has a userdatasize smaller than 2 bytes, the segmentation counter stored in t...
PT-2026-47704
A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation via chan ops.alloc buf and the chosen RX pool has a user data size smaller than 2 bytes, the segmentation counter stored ...
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
...
CVE-2026-45835
A flaw was found in the Linux kernel's Bluetooth L2CAP Logical Link Control and Adaptation Protocol component. A missing null pointer check in the l2capsocknewconnectioncb function could allow a remote attacker to trigger a null-pointer dereference. This vulnerability can lead to a system crash,...
SUSE CVE-2026-45836
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2capsockgetsndtimeocb Add the same NULL guard already present in l2capsockresumecb and l2capsockreadycb...