230 matches found
CVE-2026-10654 RFCOMM session-disconnect race leaks session/L2CAP and denies further RFCOMM service in Zephyr Bluetooth Classic
A race condition in the Zephyr Bluetooth Classic RFCOMM host stack subsys/bluetooth/host/classic/rfcomm.c mishandles a simultaneous bidirectional session disconnect. When the local device has initiated a session teardown state BTRFCOMMSTATEDISCONNECTING, DISC sent, RTX timer armed and the connect...
Linux Distros Unpatched Vulnerability : CVE-2026-53254
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Bluetooth: RFCOMM: validate skb length in MCC handlers The RFCOMM MCC handlers cast skb-data to protocol- specific structs without validating skb-len first. A...
SUSE CVE-2026-53254
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: validate skb length in MCC handlers The RFCOMM MCC handlers cast skb-data to protocol-specific structs without validating skb-len first. A malicious remote device can send truncated MCC frames and trigger...
SUSE CVE-2026-53256
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in rfcommconnectind rfcommgetsockbychannel scans rfcommsklist under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcommconnectind th...
CVE-2026-53254
A flaw was found in the Linux kernel's Bluetooth RFCOMM Radio Frequency Communication subsystem. A malicious remote device could exploit this vulnerability by sending specially crafted, truncated Multiplexing Control Channel MCC frames. This lack of proper validation of incoming data length befor...
CVE-2026-53256
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in rfcommconnectind rfcommgetsockbychannel scans rfcommsklist under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcommconnectind th...
CVE-2026-53256
CVE-2026-53256 concerns the Linux kernel Bluetooth RFCOMM implementation. A race in rfcomm_connect_ind() can cause a use-after-free when handling listener sockets: rfcomm_get_sock_by_channel() may drop the list lock without holding a reference, and subsequent operations may free the listener befo...
CVE-2026-53256 Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in rfcommconnectind rfcommgetsockbychannel scans rfcommsklist under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcommconnectind th...
CVE-2026-53254
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: validate skb length in MCC handlers The RFCOMM MCC handlers cast skb-data to protocol-specific structs without validating skb-len first. A malicious remote device can send truncated MCC frames and trigger...
EUVD-2026-39205
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: validate skb length in MCC handlers The RFCOMM MCC handlers cast skb-data to protocol-specific structs without validating skb-len first. A malicious remote device can send truncated MCC frames and trigger...
CVE-2026-53254
The CVE-2026-53254 issue affects the Linux kernel Bluetooth RFCOMM MCC handlers, which cast skb data to protocol-specific structs without validating skb->len. A malicious remote device could send truncated MCC frames, causing out-of-bounds reads. The fix is to validate and access required data...
PT-2026-52349
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description RFCOMM MCC handlers cast skb-data to protocol-specific structs without first validating skb-len. This allows a malicious remote device to send truncated MCC frames, triggering...
EUVD-2026-33776
In btajvrfcommconnect of btajvact.cc, there is a possible bypass of bonding for a secure connection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2026-0045
In btajvrfcommconnect of btajvact.cc, there is a possible bypass of bonding for a secure connection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
ASB-A-380091558
In btajvrfcommconnect of btajvact.cc, there is a possible bypass of bonding for a secure connection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15, Linux 6.1
A NULL pointer dereference vulnerability exists in the Linux kernel on Linux, x86, and ARM platforms including networking and Bluetooth modules. This vulnerability is related to the /net/bluetooth/rfcomm/core.C file. This issue affects the Linux kernel version v2.6.12-rc2...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fixed a possible deadlock in rfcommskstatechange. syzbot reports a possible deadlock in rfcommskstatechange 1. While rfcommsockconnect acquires the sk lock and waits for the rfcomm lock, rfcommsockrelease might acquire...
CLSA-2026-1777614769 kernel: Fix of 13 CVEs
crypto: algifaead - Fix minimum RX size check for decryption - crypto: afalg - Fix page reassignment overflow in afalgpulltsgl - crypto: authencesn - Fix src offset when decrypting in-place - crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption - crypto: authenc - use...
Unity Linux 20.1070e Security Update: kernel (UTSA-2026-013348)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013348 advisory. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: FIX possible deadlock in rfcommskstatechange rfcommskstatechange attempts to u...
CVE-2026-31280
CVE-2026-31280 affects Parani M10 Motorcycle Intercom (v2.1.3) via the Bluetooth Classic RFCOMM service. Multiple sources describe an unauthenticated Denial of Service caused by sending crafted RFCOMM frames, leading to a device crash. The NVD and Red Hat entries corroborate the same impact; expl...