In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hciconn: fix potential UAF in createbig_sync
Add hciconnvalid() check in createbigsync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in createbigcomplete() and re-validate the connection under hcidevlock() before dereferencing, matching the pattern used by createleconncomplete() and createpa_complete().
Keep the hciconn object alive across the async boundary by taking a reference via hciconnget() when queueing createbigsync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hcidevlock() serializes hciconnhashdel()'s listdelrcu() on hdev->connhash, as required by hciconn_del().
hciconnput() is called outside hcidevunlock() so the final put (which resolves to kfree() via btlinkrelease) does not run under hdev->lock, though the release path would be safe either way.
Without this, createbigcomplete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hciconnectcfm() and hciconndel().
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46111.json",
"cna_assigner": "Linux"
}