In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: fix locking in hciconnrequestevt() with HCIPROTO_DEFER
When protocol sets HCIPROTODEFER, hciconnrequestevt() calls hciconnectcfm(conn) without hdev->lock. Generally hciconnect_cfm() assumes it is held, and if conn is deleted concurrently -> UAF.
Only SCO and ISO set HCIPROTODEFER and only for defer setup listen, and HCIEVCONNREQUEST is not generated for ISO. In the non-deferred listening socket code paths, hciconnect_cfm(conn) is called with hdev->lock held.
Fix by holding the lock.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53072.json",
"cna_assigner": "Linux"
}