Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER_CVE-2026-53072

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER\n\nWhen protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls\nhci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm()\nassumes it is held, and if conn is deleted concurrently -> UAF.\n\nOnly SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen,\nand HCI_EV_CONN_REQUEST is not generated for ISO.  In the non-deferred\nlistening socket code paths, hci_connect_cfm(conn) is called with\nhdev->lock held.\n\nFix by holding the lock.",
    "published": "2026-06-24T16:30:13.570Z",
    "modified": "2026-06-28T06:38:58.197Z",
    "type": "cve",
    "title": "Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/60e3f4ff02d1f2d55bfbf2ca32a97285a9771ee4\nhttps://git.kernel.org/stable/c/9d4a6c0f43fc5e4d4f062e8e450e5483eb74176e\nhttps://git.kernel.org/stable/c/c7777f534a8018ae4bb1c80d8925af4df588a314\nhttps://git.kernel.org/stable/c/6b4d226d01ab7da0d2027a2a1e3a6079152e5065\nhttps://git.kernel.org/stable/c/541d5bf9b5afaf41090b2a3aa7b47f2db2ff801f\nhttps://git.kernel.org/stable/c/385b2d0468a0871fc716c549fa3b0c257c7dbcb3\nhttps://git.kernel.org/stable/c/c27224daf0b08efbb2b24ed64b6139b294f5473a\nhttps://git.kernel.org/stable/c/5c7209a341ff2ac338b2b0375c34a307b37c9ac2",
    "id": "CVE-2026-53072",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 70c464256310e1c3716099b9d02ece4169272f73\nLinux Linux 70c464256310e1c3716099b9d02ece4169272f73\nLinux Linux 70c464256310e1c3716099b9d02ece4169272f73\nLinux Linux 70c464256310e1c3716099b9d02ece4169272f73\nLinux Linux 70c464256310e1c3716099b9d02ece4169272f73\nLinux Linux 70c464256310e1c3716099b9d02ece4169272f73\nLinux Linux 70c464256310e1c3716099b9d02ece4169272f73\nLinux Linux 70c464256310e1c3716099b9d02ece4169272f73\nLinux Linux 3.17",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "70c464256310e1c3716099b9d02ece4169272f73",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}