CVE-2026-53072

Source
https://cve.org/CVERecord?id=CVE-2026-53072
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53072.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53072
Downstream
Related
Published
2026-06-24T16:30:13.570Z
Modified
2026-07-11T09:29:25.713709695Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: fix locking in hciconnrequestevt() with HCIPROTO_DEFER

When protocol sets HCIPROTODEFER, hciconnrequestevt() calls hciconnectcfm(conn) without hdev->lock. Generally hciconnect_cfm() assumes it is held, and if conn is deleted concurrently -> UAF.

Only SCO and ISO set HCIPROTODEFER and only for defer setup listen, and HCIEVCONNREQUEST is not generated for ISO. In the non-deferred listening socket code paths, hciconnect_cfm(conn) is called with hdev->lock held.

Fix by holding the lock.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53072.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
70c464256310e1c3716099b9d02ece4169272f73
Fixed
60e3f4ff02d1f2d55bfbf2ca32a97285a9771ee4
Fixed
9d4a6c0f43fc5e4d4f062e8e450e5483eb74176e
Fixed
c7777f534a8018ae4bb1c80d8925af4df588a314
Fixed
6b4d226d01ab7da0d2027a2a1e3a6079152e5065
Fixed
541d5bf9b5afaf41090b2a3aa7b47f2db2ff801f
Fixed
385b2d0468a0871fc716c549fa3b0c257c7dbcb3
Fixed
c27224daf0b08efbb2b24ed64b6139b294f5473a
Fixed
5c7209a341ff2ac338b2b0375c34a307b37c9ac2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53072.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.17.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53072.json"