kernel: Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync

A flaw was found in the Linux kernel’s Bluetooth subsystem HCI. Specifically, in the function hciaclcreateconnsync and related path hcilecreateconnsync, a connection object in state BTOPEN that is still pending command submission may be freed prematurely, leading to a use-after-free condition. An...

CVE-2025-39982

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcievent: Fix UAF in hciaclcreateconnsync This fixes the following UFA in hciaclcreateconnsync where a connection still pending is command submission conn-state == BTOPEN maybe freed, also since this also can happen wi...

CVE-2025-39982 Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcievent: Fix UAF in hciaclcreateconnsync This fixes the following UFA in hciaclcreateconnsync where a connection still pending is command submission conn-state == BTOPEN maybe freed, also since this also can happen wi...

CVE-2025-39982

CVE-2025-39982 is a Linux kernel Bluetooth (hci_event) UAF in hci_acl_create_conn_sync. The initial CVE description confirms a use-after-free in hci_acl_create_conn_sync that can occur while a pending connection is being submitted (conn->state == BT_OPEN) and is similarly implicated for hci_le...