CVE-2026-46056 - Vulnerability Details

- Bluetooth: hci_event: fix potential UAF in SSP passkey handlers

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: fix potential UAF in SSP passkey handlers

hci_conn lookup and field access must be covered by hdev lock in
hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise
the connection can be freed concurrently.

Extend the hci_dev_lock critical section to cover all conn usage in both
handlers.

Keep the existing keypress notification behavior unchanged by routing
the early exits through a common unlock path.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in the Linux Bluetooth subsystem where connection objects are accessed without proper locking during SSP passkey notifications, allowing a use‑after‑free. This can corrupt kernel memory or enable arbitrary code execution if an attacker can trigger the vulnerable functions while the connection is freed, potentially escalating privileges or crashing the system.

Affected Systems

All Linux kernel versions that implement the Bluetooth hci_event handlers without the lock fix are impacted. The specific versions are not listed but the issue resides in the general Bluetooth stack of the kernel.

Risk and Exploitability

No CVSS score is provided, but the kernel‑level use‑after‑free is high severity. The EPSS score is not available and the vulnerability is not included in the CISA KEV catalog. The attack vector likely requires a Bluetooth SSP client that can send a passkey event, so the attacker needs physical proximity or the ability to pair with the target device.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`92a25256f142d55e25f9959441cea6ddeabae57e`	affected	< 204028af77a265e31ceb4ba7f643349a3cca72b2
`92a25256f142d55e25f9959441cea6ddeabae57e`	affected	< 01a6431766c35dfedb86e0cb5d3fc80c6d604a47
`92a25256f142d55e25f9959441cea6ddeabae57e`	affected	< e08d75753db17aa943d7622f09d9c217b5bfd3b8
`92a25256f142d55e25f9959441cea6ddeabae57e`	affected	< 8c6443bb9257b780986fb67ec08565bf48ecb8d7
`92a25256f142d55e25f9959441cea6ddeabae57e`	affected	< 85fa3512048793076eef658f66489112dcc91993

Linux

affected

Version	Status	Constraints
`3.7`	affected	—
`0`	unaffected	< 3.7
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that includes the lock coverage fix for hci_event handlers.
Reboot the system or reload the Bluetooth module to ensure the new code is in use.
If Bluetooth is not needed, disable the service or restrict pairing to trusted devices.

Generated by OpenCVE AI on May 27, 2026 at 18:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/01a6431766c35dfedb86e0cb5d3fc80c6d604a47
https://git.kernel.org/stable/c/204028af77a265e31ceb4ba7f643349a3cca72b2
https://git.kernel.org/stable/c/85fa3512048793076eef658f66489112dcc91993
https://git.kernel.org/stable/c/8c6443bb9257b780986fb67ec08565bf48ecb8d7
https://git.kernel.org/stable/c/e08d75753db17aa943d7622f09d9c217b5bfd3b8

History

Wed, 27 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage in both handlers. Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path.
Title		Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/01a6431766c35dfedb86e0cb5d3fc80c6d604a47 https://git.kernel.org/stable/c/204028af77a265e31ceb4ba7f643349a3cca72b2 https://git.kernel.org/stable/c/85fa3512048793076eef658f66489112dcc91993 https://git.kernel.org/stable/c/8c6443bb9257b780986fb67ec08565bf48ecb8d7 https://git.kernel.org/stable/c/e08d75753db17aa943d7622f09d9c217b5bfd3b8

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:57:15.150Z

Updated: 2026-05-27T12:57:15.150Z

Reserved: 2026-05-13T15:03:33.094Z

Link: CVE-2026-46056

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:25.317

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46056

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T18:15:21Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object