Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync_CVE-2026-43019

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

hci_conn lookup and field access must be covered by hdev lock in
set_cig_params_sync, otherwise it's possible it is freed concurrently.

Take hdev lock to prevent hci_conn from being deleted or modified
concurrently. Just RCU lock is not suitable here, as we also want to
avoid "tearing" in the configuration.

Basic Information

ID CVE-2026-43019

Source Linux

Published May 1, 2026 at 14:15

Modified May 3, 2026 at 05:46

Affected Product

Vendor Linux

Product Linux

Version a091289218202bc09d9b9caa8afcde1018584aec

Affected Versions Linux Linux a091289218202bc09d9b9caa8afcde1018584aec
Linux Linux a091289218202bc09d9b9caa8afcde1018584aec
Linux Linux a091289218202bc09d9b9caa8afcde1018584aec
Linux Linux a091289218202bc09d9b9caa8afcde1018584aec
Linux Linux 3a273cd0f47dd672d37736e623849374f9ab9ce9
Linux Linux d8570c4c3f2a3e51b3c8b5e6ec898364c5c03062
Linux Linux 6.6

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: fix potential UAF in set_cig_params_sync\n\nhci_conn lookup and field access must be covered by hdev lock in\nset_cig_params_sync, otherwise it's possible it is freed concurrently.\n\nTake hdev lock to prevent hci_conn from being deleted or modified\nconcurrently.  Just RCU lock is not suitable here, as we also want to\navoid \"tearing\" in the configuration.",
    "published": "2026-05-01T14:15:23.035Z",
    "modified": "2026-05-03T05:46:06.840Z",
    "type": "cve",
    "title": "Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/66d432e9b45bae7881ffcdb12cd8fd0bf254ef02\nhttps://git.kernel.org/stable/c/7d568fede8eac91161a60b710aa920abe9b0fb9f\nhttps://git.kernel.org/stable/c/bad65b4b0a96139f023eadc28a33125963208449\nhttps://git.kernel.org/stable/c/a2639a7f0f5bf7d73f337f8f077c19415c62ed2c",
    "id": "CVE-2026-43019",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux a091289218202bc09d9b9caa8afcde1018584aec\nLinux Linux a091289218202bc09d9b9caa8afcde1018584aec\nLinux Linux a091289218202bc09d9b9caa8afcde1018584aec\nLinux Linux a091289218202bc09d9b9caa8afcde1018584aec\nLinux Linux 3a273cd0f47dd672d37736e623849374f9ab9ce9\nLinux Linux d8570c4c3f2a3e51b3c8b5e6ec898364c5c03062\nLinux Linux 6.6",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "a091289218202bc09d9b9caa8afcde1018584aec",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply