CVE-2026-53276

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is dropped: bis = iso_pi(sk)->conn->hcon; /* Release the socket before lookups since that requires hci_dev_lock * which shall not be acquired while holding sock_lock for proper * ordering. */ release_sock(sk); hci_dev_lock(bis->hdev); During the unlocked window, could a concurrent close() destroy the connection and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory after it is freed, fix this by using the hdev reference which was safely acquired via iso_conn_get_hdev().

CVSS

No CVSS.

References

Link	Resource
https://git.kernel.org/stable/c/d324b8aa20bd3c3394e3647dc22491d88f3f4e7a
https://git.kernel.org/stable/c/f50331f2a1441ec49988832c3a95f2edacc47322

Configurations

No configuration.

History

25 Jun 2026, 09:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-25 09:16

Updated : 2026-06-25 09:16

NVD link : CVE-2026-53276

Mitre link : CVE-2026-53276

CVE.ORG link : CVE-2026-53276

JSON object : View

Products Affected

No product.

CWE

No CWE.

{"id": "CVE-2026-53276", "cveTags": [], "metrics": {}, "affected": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "affectedData": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "d3413703d5f8b7d1e6f514f9440ed5da1bc30796", "lessThan": "d324b8aa20bd3c3394e3647dc22491d88f3f4e7a", "versionType": "git"}, {"status": "affected", "version": "d3413703d5f8b7d1e6f514f9440ed5da1bc30796", "lessThan": "f50331f2a1441ec49988832c3a95f2edacc47322", "versionType": "git"}], "programFiles": ["net/bluetooth/iso.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.19"}, {"status": "unaffected", "version": "0", "lessThan": "6.19", "versionType": "semver"}, {"status": "unaffected", "version": "7.0.13", "versionType": "semver", "lessThanOrEqual": "7.0.*"}, {"status": "unaffected", "version": "7.1", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/bluetooth/iso.c"], "defaultStatus": "affected"}]}], "published": "2026-06-25T09:16:45.807", "references": [{"url": "https://git.kernel.org/stable/c/d324b8aa20bd3c3394e3647dc22491d88f3f4e7a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f50331f2a1441ec49988832c3a95f2edacc47322", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Fix a use-after-free of the hci_conn pointer\n\nIn iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is\ndropped:\n\tbis = iso_pi(sk)->conn->hcon;\n\t/* Release the socket before lookups since that requires hci_dev_lock\n\t * which shall not be acquired while holding sock_lock for proper\n\t * ordering.\n\t */\n\trelease_sock(sk);\n\thci_dev_lock(bis->hdev);\n\nDuring the unlocked window, could a concurrent close() destroy the connection\nand free the bis structure, causing hci_dev_lock(bis->hdev) to access memory\nafter it is freed, fix this by using the hdev reference which was safely\nacquired via iso_conn_get_hdev()."}], "lastModified": "2026-06-25T09:16:45.807", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}