Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_conn: fix potential UAF in create_big_sync

Add hci_conn_valid() check in create_big_sync() to detect stale
connections before proceeding with BIG creation. Handle the
resulting -ECANCELED in create_big_complete() and re-validate the
connection under hci_dev_lock() before dereferencing, matching the
pattern used by create_le_conn_complete() and create_pa_complete().

Keep the hci_conn object alive across the async boundary by taking
a reference via hci_conn_get() when queueing create_big_sync(), and
dropping it in the completion callback. The refcount and the lock
are complementary: the refcount keeps the object allocated, while
hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on
hdev->conn_hash, as required by hci_conn_del().

hci_conn_put() is called outside hci_dev_unlock() so the final put
(which resolves to kfree() via bt_link_release) does not run under
hdev->lock, though the release path would be safe either way.

Without this, create_big_complete() would unconditionally
dereference the conn pointer on error, causing a use-after-free
via hci_connect_cfm() and hci_conn_del().
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw exists in the Linux kernel Bluetooth HCI subsystem during the creation of a BIG (Basic Identification Group) connection. The defect occurs when the create_big_sync() function fails to validate a stale hci_conn object before proceeding, causing create_big_complete() to dereference a pointer that may already have been freed. This kernel‑level memory corruption can allow an attacker with sufficient access to a Bluetooth device or to influence the BIG transaction sequence to execute arbitrary code, crash the system, or elevate privileges.

Affected Systems

All Linux kernel releases that do not include the hci_conn_valid() patch in the Bluetooth HCI driver. The issue applies to any kernel build prior to the commit that added the staleness check, regardless of distribution, because the vulnerability is in core Linux kernel code and not limited to a specific vendor.

Risk and Exploitability

The CVSS score is 5.5 and the EPSS score is < 1%, indicating no confirmed public exploits at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation would most likely require a local or privileged attacker who can manipulate a Bluetooth device to trigger the flawed BIG transaction sequence, or a remote attacker that can influence the device’s Bluetooth stack. The potential impact is medium due to the kernel location, but the lack of publicly documented exploits reduces immediate risk, though the vulnerability remains serious.

Generated by OpenCVE AI on May 29, 2026 at 05:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates the hci_conn_valid() patch for the Bluetooth HCI driver
  • Reboot the system after the kernel update to load the patched code
  • If an update cannot be applied immediately, disable the Bluetooth BIG feature or limit Bluetooth services to reduce exposure to the flaw

Generated by OpenCVE AI on May 29, 2026 at 05:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in create_big_sync Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete(). Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del(). hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way. Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().
Title Bluetooth: hci_conn: fix potential UAF in create_big_sync
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:19.970Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46111

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:26.550

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46111

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46111 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T05:30:36Z

Weaknesses