CVE-2026-46111
Bluetooth: hci_conn: fix potential UAF in create_big_sync
Published:
5/28/2026
Last updated:
6/14/2026
Reserved:
5/13/2026
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_conn: fix potential UAF in create_big_sync
Add hci_conn_valid() check in create_big_sync() to detect stale
connections before proceeding with BIG creation. Handle the
resulting -ECANCELED in create_big_complete() and re-validate the
connection under hci_dev_lock() before dereferencing, matching the
pattern used by create_le_conn_complete() and create_pa_complete().
Keep the hci_conn object alive across the async boundary by taking
a reference via hci_conn_get() when queueing create_big_sync(), and
dropping it in the completion callback. The refcount and the lock
are complementary: the refcount keeps the object allocated, while
hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on
hdev->conn_hash, as required by hci_conn_del().
hci_conn_put() is called outside hci_dev_unlock() so the final put
(which resolves to kfree() via bt_link_release) does not run under
hdev->lock, though the release path would be safe either way.
Without this, create_big_complete() would unconditionally
dereference the conn pointer on error, causing a use-after-free
via hci_connect_cfm() and hci_conn_del().
CNA assigner:
Linux (416baaa9-dc9f-4396-8d5f-8c081fb06d67)
Requested by:
n/a
Products affected (4)
| Product |
Vendor |
Version |
| Linux |
Linux
|
< 4.3.1-lp151.2.3.1
|
| Linux |
Linux
|
n/a
|
| Linux |
Linux
|
n/a
|
| Linux |
Linux
|
< 3.4.24
|