{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-53072","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.383Z","datePublished":"2026-06-24T16:30:13.570Z","dateUpdated":"2026-06-28T06:38:58.197Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-28T06:38:58.197Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER\n\nWhen protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls\nhci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm()\nassumes it is held, and if conn is deleted concurrently -> UAF.\n\nOnly SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen,\nand HCI_EV_CONN_REQUEST is not generated for ISO.  In the non-deferred\nlistening socket code paths, hci_connect_cfm(conn) is called with\nhdev->lock held.\n\nFix by holding the lock."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/hci_event.c"],"versions":[{"version":"70c464256310e1c3716099b9d02ece4169272f73","lessThan":"60e3f4ff02d1f2d55bfbf2ca32a97285a9771ee4","status":"affected","versionType":"git"},{"version":"70c464256310e1c3716099b9d02ece4169272f73","lessThan":"9d4a6c0f43fc5e4d4f062e8e450e5483eb74176e","status":"affected","versionType":"git"},{"version":"70c464256310e1c3716099b9d02ece4169272f73","lessThan":"c7777f534a8018ae4bb1c80d8925af4df588a314","status":"affected","versionType":"git"},{"version":"70c464256310e1c3716099b9d02ece4169272f73","lessThan":"6b4d226d01ab7da0d2027a2a1e3a6079152e5065","status":"affected","versionType":"git"},{"version":"70c464256310e1c3716099b9d02ece4169272f73","lessThan":"541d5bf9b5afaf41090b2a3aa7b47f2db2ff801f","status":"affected","versionType":"git"},{"version":"70c464256310e1c3716099b9d02ece4169272f73","lessThan":"385b2d0468a0871fc716c549fa3b0c257c7dbcb3","status":"affected","versionType":"git"},{"version":"70c464256310e1c3716099b9d02ece4169272f73","lessThan":"c27224daf0b08efbb2b24ed64b6139b294f5473a","status":"affected","versionType":"git"},{"version":"70c464256310e1c3716099b9d02ece4169272f73","lessThan":"5c7209a341ff2ac338b2b0375c34a307b37c9ac2","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/hci_event.c"],"versions":[{"version":"3.17","status":"affected"},{"version":"0","lessThan":"3.17","status":"unaffected","versionType":"semver"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"5.10.258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"6.6.141"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"6.12.91"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"6.18.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"7.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/60e3f4ff02d1f2d55bfbf2ca32a97285a9771ee4"},{"url":"https://git.kernel.org/stable/c/9d4a6c0f43fc5e4d4f062e8e450e5483eb74176e"},{"url":"https://git.kernel.org/stable/c/c7777f534a8018ae4bb1c80d8925af4df588a314"},{"url":"https://git.kernel.org/stable/c/6b4d226d01ab7da0d2027a2a1e3a6079152e5065"},{"url":"https://git.kernel.org/stable/c/541d5bf9b5afaf41090b2a3aa7b47f2db2ff801f"},{"url":"https://git.kernel.org/stable/c/385b2d0468a0871fc716c549fa3b0c257c7dbcb3"},{"url":"https://git.kernel.org/stable/c/c27224daf0b08efbb2b24ed64b6139b294f5473a"},{"url":"https://git.kernel.org/stable/c/5c7209a341ff2ac338b2b0375c34a307b37c9ac2"}],"title":"Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER","x_generator":{"engine":"bippy-1.2.0"}}}}