Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt

hci_conn lookup and field access must be covered by hdev lock in
hci_le_remote_conn_param_req_evt, otherwise it's possible it is freed
concurrently.

Extend the hci_dev_lock critical section to cover all conn usage.
Published: 2026-05-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing database lock in the Linux kernel Bluetooth HCI event handler allows the hci_conn structure to be freed while still referenced, leading to a use‑after‑free vulnerability. The flaw can cause memory corruption, which may result in a kernel crash or other unintended kernel behavior. No explicit remote code execution or privilege escalation has been documented in the official description.

Affected Systems

The vulnerability is present in the Linux kernel’s Bluetooth HCI implementation, specifically in the hci_le_remote_conn_param_req_evt handler. All kernel releases that contain the vulnerable code and have not been patched, including the Linux 7.0 release candidates 1 through 6, are potentially affected.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The flaw is not listed in the CISA KEV catalog. Kernel‑level use‑after‑free errors can compromise system stability and may affect confidentiality, integrity, and availability. Exploitation would require triggering the freed object scenario, which is typically tied to Bluetooth operations.

Generated by OpenCVE AI on May 8, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available Linux kernel patch that addresses the hci_le_remote_conn_param_req_evt lock fix.
  • Reboot the system or reload the Bluetooth kernel module to ensure the updated code is active.
  • If Bluetooth functionality is not required, disable or unload the Bluetooth subsystem to remove the vulnerable code path.

Generated by OpenCVE AI on May 8, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 08 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-413
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt hci_conn lookup and field access must be covered by hdev lock in hci_le_remote_conn_param_req_evt, otherwise it's possible it is freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage.
Title Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:07.005Z

Reserved: 2026-05-01T14:12:55.975Z

Link: CVE-2026-43018

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:45.980

Modified: 2026-05-08T14:15:26.283

Link: CVE-2026-43018

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43018 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:15:05Z

Weaknesses