kernel: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold

A flaw was found in the Linux kernel's Bluetooth SCO Synchronous Connection-Oriented protocol implementation. The scorecvframe function fails to properly hold a reference to a socket after releasing a lock. This oversight allows a concurrent operation to free the socket while it is still being...

kernel: Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue

A flaw was discovered in the Bluetooth subsystem of the Linux kernel. When processing a HCIEVNUMCOMPPKTS event, the function hciconntxdequeue did not properly hold or release the hdev device lock, which may lead to a use-after-free of the connection structure...

CVE-2025-68305 Bluetooth: hci_sock: Prevent race in socket write iter and sock bind

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisock: Prevent race in socket write iter and sock bind There is a potential race condition between sock bind and socket write iter. bind may free the same cmd via mgmtpending before write iter sends the cmd, just as...

CVE-2025-68304

The CVE-2025-68304 entries describe a Linux kernel Bluetooth subsystem use-after-free risk in hci_core: lookup of hci_conn on the RX path. The root cause is a hdev lock/lookup/unlock/use pattern in RX that can allow concurrent deletion of hci_conn* while protocol RX processing uses it, prior to/b...

CVE-2023-53828 Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: Avoid use-after-free in dbg for hciaddadvmonitor KSAN reports use-after-free in hciaddadvmonitor. While adding an adv monitor, hciaddadvmonitor calls - msftaddmonitorpattern calls - msftaddmonitorsync calls -...

kernel: Bluetooth: btrtl: check for NULL in btrtl_setup_realtek()

A NULL pointer access may result in compromised availability...

SUSE CVE-2023-53673

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcievent: call disconnect callback before deleting conn In hcicsdisconnect, we do hciconndel even if disconnection failed. ISO, L2CAP and SCO connections refer to the hciconn without hciconnget, so disconncfm must be...

EUVD-2022-55026

Malicious code in bioql PyPI...

DEBIAN-CVE-2022-50374

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcildisc,serdev: check percpuinitrwsem failure syzbot is reporting NULL pointer dereference at hciuartttyclose 1, for rcusyncenter is called without rcusyncinit due to hciuartttyopen ignoring percpuinitrwsem failure...

CVE-2022-50374 Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcildisc,serdev: check percpuinitrwsem failure syzbot is reporting NULL pointer dereference at hciuartttyclose 1, for rcusyncenter is called without rcusyncinit due to hciuartttyopen ignoring percpuinitrwsem failure...

CVE-2022-50339 Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev()

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: avoid hcidevtestandsetflag in mgmtinithdev syzbot is again reporting attempt to cancel uninitialized work at mgmtindexremoved 1, for setting of HCIMGMT flag from mgmtinithdev from hcimgmtcmd from hcisocksendmsg can rac...

UBUNTU-CVE-2023-53252

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: use RCU for hciconnparams and iterate safely in hcisync hciupdateacceptlistsync iterates over hdev-pendleconns and hdev-pendlereports, and waits for controller events in the loop body, without holding hdev lock...

CVE-2023-53252 Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: use RCU for hciconnparams and iterate safely in hcisync hciupdateacceptlistsync iterates over hdev-pendleconns and hdev-pendlereports, and waits for controller events in the loop body, without holding hdev lock...

kernel: Bluetooth: hci_core: Fix use-after-free in vhci_flush()

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcicore: Fix use-after-free in vhciflush syzbot reported use-after-free in vhciflush without repro. 0 From the splat, a thread closed a vhci file descriptor while its device was being used by iotcl on another thread...

UBUNTU-CVE-2025-38641

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: Fix potential NULL dereference on kmalloc failure Avoid potential NULL pointer dereference by checking the return value of kmalloc and handling allocation failure properly...

UBUNTU-CVE-2025-37918

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: avoid NULL pointer dereference in skbdequeue A NULL pointer dereference can occur in skbdequeue when processing a QCA firmware crash dump on WCN7851 0489:e0f3. 93.672166 Bluetooth: hci0: ACL memdump size589824...

kernel: Bluetooth: btmtk: avoid UAF in btmtk_process_coredump

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: avoid UAF in btmtkprocesscoredump hcidevcdappend may lead to the release of the skb, so it cannot be accessed once it is called. ================================================================== BUG: KASAN:...

kernel: Bluetooth: L2CAP: Fix not validating setsockopt user input

CVE-2024-35965 is a vulnerability in the Linux kernel's Bluetooth L2CAP implementation, caused by inadequate input length validation in the setsockopt function. This flaw allows overly large user-provided data to be copied into kernel memory, potentially leading to buffer overflows, system...

kernel: Bluetooth: hci_core: Fix sleeping function called from invalid context

REJECTED CVE A vulnerability was identified in the Linux kernel's Bluetooth: hcicore package, where a sleeping function mutexlock was improperly invoked from an invalid context within the HCI event handling workqueue, potentially leading to kernel warnings or deadlocks. An attacker exploiting thi...

kernel: Bluetooth: Call iso_exit() on module unload

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Call isoexit on module unload If isoinit has been called, isoexit must be called on module unload. Without that, the struct proto that isoinit registered with protoregister becomes invalid, which could cause...