CVE-2026-46111

Source
https://cve.org/CVERecord?id=CVE-2026-46111
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46111.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46111
Downstream
Related
Published
2026-05-28T09:35:19.970Z
Modified
2026-07-08T08:13:36.890000853Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Bluetooth: hci_conn: fix potential UAF in create_big_sync
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hciconn: fix potential UAF in createbig_sync

Add hciconnvalid() check in createbigsync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in createbigcomplete() and re-validate the connection under hcidevlock() before dereferencing, matching the pattern used by createleconncomplete() and createpa_complete().

Keep the hciconn object alive across the async boundary by taking a reference via hciconnget() when queueing createbigsync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hcidevlock() serializes hciconnhashdel()'s listdelrcu() on hdev->connhash, as required by hciconn_del().

hciconnput() is called outside hcidevunlock() so the final put (which resolves to kfree() via btlinkrelease) does not run under hdev->lock, though the release path would be safe either way.

Without this, createbigcomplete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hciconnectcfm() and hciconndel().

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46111.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
eca0ae4aea66914515e5e3098ea051b518ee5316
Fixed
6823f730bf195fc296d9edd09e2ca94bc1ff5584
Fixed
1750a2df0eab61dc421a7afae74abdd239a44b85
Fixed
dc34f8d8240f25dd137dc2758ebbcc75e3779142
Fixed
f8eaf92c57ad99358dd372580d5ff87623343a72
Fixed
0beddb0c380bed5f5b8e61ddbe14635bb73d0b41

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46111.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.90
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.32
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46111.json"