CVE-2026-46111
Received Received - Intake
Use-After-Free in Linux Kernel Bluetooth HCI Connection

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in create_big_sync Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete(). Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del(). hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way. Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46111
EUVD
EUVD-2026-32870
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free (UAF) issue in the Linux kernel's Bluetooth subsystem, specifically in the create_big_sync function related to handling Bluetooth connections.

The problem occurs because create_big_complete() would unconditionally dereference a connection pointer even when an error happens, leading to accessing memory that has already been freed.

The fix involves adding a check to detect stale connections before proceeding, handling errors properly, and managing reference counts to keep the connection object alive across asynchronous operations.


How can this vulnerability impact me? :

This use-after-free vulnerability can cause the Linux kernel to access invalid memory, potentially leading to system crashes or unpredictable behavior in the Bluetooth subsystem.

Exploitation of this flaw could result in denial of service or possibly allow an attacker to execute arbitrary code within the kernel context, depending on the circumstances.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by adding validation checks and reference counting in the Linux kernel Bluetooth subsystem to prevent use-after-free conditions.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes the fix for CVE-2026-46111.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart