Lucene search
K

17873 matches found

OSV
OSV
added 2026/06/25 9:16 a.m.3 views

UBUNTU-CVE-2026-53254

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: validate skb length in MCC handlers The RFCOMM MCC handlers cast skb-data to protocol-specific structs without validating skb-len first. A malicious remote device can send truncated MCC frames and trigger...

8.1CVSS5.8AI score0.00283EPSS
Exploits0References10
OSV
OSV
added 2026/06/25 9:16 a.m.2 views

UBUNTU-CVE-2026-53209

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: reject oversized Broadcast Announcement prepend Existing advertising instances can already hold the maximum extended advertising payload. When hciadvbcastannoucement prepends the Broadcast Announcement service...

7.8CVSS5.9AI score0.00138EPSS
Exploits0References9
OSV
OSV
added 2026/06/25 9:16 a.m.4 views

UBUNTU-CVE-2026-53255

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate advertising TLV before type checks tlvdataisvalid reads each advertising data field length from datai, then inspects datai + 1 for managed EIR types before checking that the current field still fits insi...

5.9AI score0.00172EPSS
Exploits0References11
OSV
OSV
added 2026/06/25 9:16 a.m.4 views

UBUNTU-CVE-2026-53256

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in rfcommconnectind rfcommgetsockbychannel scans rfcommsklist under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcommconnectind th...

8CVSS5.7AI score0.00266EPSS
Exploits0References11
OSV
OSV
added 2026/06/25 9:16 a.m.2 views

UBUNTU-CVE-2026-53251

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix not releasing hdev reference on isoconnbigsync hcigetroute returns a reference-counted hcidev pointer via hcidevhold. The function exits normally or with an error without ever releasing it...

5.7CVSS5.7AI score0.00175EPSS
Exploits0References7
OSV
OSV
added 2026/06/25 9:16 a.m.2 views

UBUNTU-CVE-2026-53252

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix memory leak in error path of hciallocdev Early failures in Bluetooth HCI UART configuration leak SRCU percpu memory. When device initialization fails before hciregisterdev completes, the HCIUNREGISTER flag is never...

6.7CVSS5.7AI score0.00189EPSS
Exploits0References10
EUVD
EUVD
added 2026/06/25 8:39 a.m.7 views

EUVD-2026-39227

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hciconn pointer In isosockrebindbc, the bis pointer is cached, then the socket lock is dropped: bis = isopisk-conn-hcon; / Release the socket before lookups since that requires hcidevlo...

5.7AI score0.0012EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/25 8:39 a.m.30 views

CVE-2026-53276 Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hciconn pointer In isosockrebindbc, the bis pointer is cached, then the socket lock is dropped: bis = isopisk-conn-hcon; / Release the socket before lookups since that requires hcidevlo...

7.8CVSS0.0012EPSS
Exploits0References2
CVE
CVE
added 2026/06/25 8:39 a.m.19 views

CVE-2026-53276

The CVE-2026-53276 entry concerns the Linux kernel Bluetooth ISO stack. A use-after-free occurs in iso_sock_rebind_bc where the bis pointer is cached and the socket lock is released before traversals, allowing a concurrent close() to free the hci_conn and its bis structure. The code then accesses...

7.8CVSS5.7AI score0.0012EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/06/25 8:39 a.m.5 views

CVE-2026-53276

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hciconn pointer In isosockrebindbc, the bis pointer is cached, then the socket lock is dropped: bis = isopisk-conn-hcon; / Release the socket before lookups since that requires hcidevlo...

7.8CVSS5.6AI score0.0012EPSS
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/06/25 8:39 a.m.6 views

CVE-2026-53256

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in rfcommconnectind rfcommgetsockbychannel scans rfcommsklist under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcommconnectind th...

5.7AI score0.00266EPSS
Exploits0References9Affected Software1
Cvelist
Cvelist
added 2026/06/25 8:39 a.m.29 views

CVE-2026-53256 Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in rfcommconnectind rfcommgetsockbychannel scans rfcommsklist under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcommconnectind th...

8CVSS0.00266EPSS
Exploits0References8
EUVD
EUVD
added 2026/06/25 8:39 a.m.4 views

EUVD-2026-39207

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in rfcommconnectind rfcommgetsockbychannel scans rfcommsklist under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcommconnectind th...

5.7AI score0.00266EPSS
Exploits0References8
CVE
CVE
added 2026/06/25 8:39 a.m.10 views

CVE-2026-53256

CVE-2026-53256 concerns the Linux kernel Bluetooth RFCOMM implementation. A race in rfcomm_connect_ind() can cause a use-after-free when handling listener sockets: rfcomm_get_sock_by_channel() may drop the list lock without holding a reference, and subsequent operations may free the listener befo...

8CVSS5.7AI score0.00266EPSS
Exploits0References8
Debian CVE
Debian CVE
added 2026/06/25 8:39 a.m.5 views

CVE-2026-53256

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in rfcommconnectind rfcommgetsockbychannel scans rfcommsklist under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcommconnectind th...

8CVSS5.6AI score0.00266EPSS
Exploits0
CVE
CVE
added 2026/06/25 8:39 a.m.9 views

CVE-2026-53255

CVE-2026-53255 (Linux kernel Bluetooth MGMT TLV parsing) : The vulnerability arises in tlv_data_is_valid() where the advertising data field length is read from data[i] and the parser inspects data[i+1] for EIR types before confirming the field fits in the buffer. A malformed field whose length by...

6AI score0.00172EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/06/25 8:39 a.m.28 views

CVE-2026-53254 Bluetooth: RFCOMM: validate skb length in MCC handlers

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: validate skb length in MCC handlers The RFCOMM MCC handlers cast skb-data to protocol-specific structs without validating skb-len first. A malicious remote device can send truncated MCC frames and trigger...

8.1CVSS0.00283EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/25 8:39 a.m.6 views

EUVD-2026-39205

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: validate skb length in MCC handlers The RFCOMM MCC handlers cast skb-data to protocol-specific structs without validating skb-len first. A malicious remote device can send truncated MCC frames and trigger...

5.8AI score0.00283EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/25 8:39 a.m.6 views

EUVD-2026-39206

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate advertising TLV before type checks tlvdataisvalid reads each advertising data field length from datai, then inspects datai + 1 for managed EIR types before checking that the current field still fits insi...

6AI score0.00172EPSS
Exploits0References8
CVE
CVE
added 2026/06/25 8:39 a.m.13 views

CVE-2026-53254

The CVE-2026-53254 issue affects the Linux kernel Bluetooth RFCOMM MCC handlers, which cast skb data to protocol-specific structs without validating skb->len. A malicious remote device could send truncated MCC frames, causing out-of-bounds reads. The fix is to validate and access required data...

8.1CVSS5.8AI score0.00283EPSS
Exploits0References7
Rows per page
Query Builder