CVE-2026-43019 - Vulnerability Details

- Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

hci_conn lookup and field access must be covered by hdev lock in
set_cig_params_sync, otherwise it's possible it is freed concurrently.

Take hdev lock to prevent hci_conn from being deleted or modified
concurrently. Just RCU lock is not suitable here, as we also want to
avoid "tearing" in the configuration.

Published: 2026-05-01

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An unprotected use‑after‑free occurs in the Linux kernel Bluetooth stack when the set_cig_params_sync function accesses an hci_conn object without acquiring the necessary hdev lock, allowing the object to be freed or modified concurrently. Dereferencing a freed object can corrupt kernel memory or cause a crash. The potential for gaining higher privileges is inferred from the severity and impact described.

Affected Systems

All Linux kernel releases that contain the upstream Bluetooth implementation before the commits adding the hdev lock are vulnerable; this includes commonly shipped generic kernels such as 6.4.x, 6.5.x, and early 7.0 release candidates. Any distribution that distributes a kernel derived from those sources without applying the lock patch is at risk.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of widespread exploitation. Evidence of publicly documented exploits is lacking; however, based on the description, it is inferred that an attacker would need local interaction with the device’s Bluetooth interface and the ability to trigger the set_cig_params_sync operation. Remote exploitation would likely require an additional local privilege escalation vector. The overall risk is moderate due to the low EPSS and lack of existing exploits.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a091289218202bc09d9b9caa8afcde1018584aec`	affected	< 66d432e9b45bae7881ffcdb12cd8fd0bf254ef02
`a091289218202bc09d9b9caa8afcde1018584aec`	affected	< 7d568fede8eac91161a60b710aa920abe9b0fb9f
`a091289218202bc09d9b9caa8afcde1018584aec`	affected	< bad65b4b0a96139f023eadc28a33125963208449
`a091289218202bc09d9b9caa8afcde1018584aec`	affected	< a2639a7f0f5bf7d73f337f8f077c19415c62ed2c
`3a273cd0f47dd672d37736e623849374f9ab9ce9`	affected	—
`d8570c4c3f2a3e51b3c8b5e6ec898364c5c03062`	affected	—
`6.4.16`	affected	< 6.5
`6.5.3`	affected	< 6.6

Linux

affected

Version	Status	Constraints
`6.6`	affected	—
`0`	unaffected	< 6.6
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.4.16:::::::*
	cpe:2.3:o:linux:linux_kernel:6.5.3:::::::*
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[a091289218202bc09d9b9caa8afcde1018584aec,66d432e9b45bae7881ffcdb12cd8fd0bf254ef02)`	affected	code_commit	—
`[a091289218202bc09d9b9caa8afcde1018584aec,7d568fede8eac91161a60b710aa920abe9b0fb9f)`	affected	code_commit	—
`[a091289218202bc09d9b9caa8afcde1018584aec,bad65b4b0a96139f023eadc28a33125963208449)`	affected	code_commit	—
`[a091289218202bc09d9b9caa8afcde1018584aec,a2639a7f0f5bf7d73f337f8f077c19415c62ed2c)`	affected	code_commit	—
`3a273cd0f47dd672d37736e623849374f9ab9ce9`	affected	code_commit	—
`d8570c4c3f2a3e51b3c8b5e6ec898364c5c03062`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.6`	affected	semver	—
`[0,6.6)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version containing the commit that introduces the hdev lock around set_cig_params_sync, such as any kernel released after the referenced changes
If an immediate kernel upgrade is not possible, disable or unload the Bluetooth module to remove the attack surface
Continuously monitor vendor advisories, kernel mailing lists, and security bulletins for updates that address this issue and apply them as soon as they become available

Generated by OpenCVE AI on May 8, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/66d432e9b45bae7881ffcdb12cd8fd0bf254ef02
https://git.kernel.org/stable/c/7d568fede8eac91161a60b710aa920abe9b0fb9f
https://git.kernel.org/stable/c/a2639a7f0f5bf7d73f337f8f077c19415c62ed2c
https://git.kernel.org/stable/c/bad65b4b0a96139f023eadc28a33125963208449
https://lore.kernel.org/linux-cve-announce/2026050157-CVE-2026-43019-0c5c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43019
https://www.cve.org/CVERecord?id=CVE-2026-43019

History

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
CPEs		cpe:2.3:o:linux:linux_kernel:6.4.16:::::::* cpe:2.3:o:linux:linux_kernel:6.5.3:::::::* cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::

Sun, 03 May 2026 06:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Sat, 02 May 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-821
References		https://lore.kernel.org/linux-cve-announce/2026050157-CVE-2026-43019-0c5c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43019 https://www.cve.org/CVERecord?id=CVE-2026-43019
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 01 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync hci_conn lookup and field access must be covered by hdev lock in set_cig_params_sync, otherwise it's possible it is freed concurrently. Take hdev lock to prevent hci_conn from being deleted or modified concurrently. Just RCU lock is not suitable here, as we also want to avoid "tearing" in the configuration.
Title		Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/66d432e9b45bae7881ffcdb12cd8fd0bf254ef02 https://git.kernel.org/stable/c/7d568fede8eac91161a60b710aa920abe9b0fb9f https://git.kernel.org/stable/c/a2639a7f0f5bf7d73f337f8f077c19415c62ed2c https://git.kernel.org/stable/c/bad65b4b0a96139f023eadc28a33125963208449

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:15:23.035Z

Updated: 2026-05-23T16:05:59.395Z

Reserved: 2026-05-01T14:12:55.975Z

Link: CVE-2026-43019

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-01T15:16:46.103

Modified: 2026-05-08T14:35:10.090

Link: CVE-2026-43019

Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43019 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-08T20:30:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object