Impact
The Linux kernel Bluetooth subsystem contains a race condition in bt_sock_poll where the accept queue is walked without synchronization while a child socket may be unlinked and its last reference dropped. This unsynchronized access can lead to a use‑after‑free scenario, potentially causing kernel memory corruption or a crash that disrupts entire system operation. The weakness can be exploited to force a worst‑case, attacker‑controlled fault in kernel memory. The vulnerability is classified under CWE‑820.
Affected Systems
All Linux distributions that ship a kernel containing the unpatched Bluetooth code are affected. The issue has existed since the initial Bluetooth import, so it may be present in many kernel releases specific to the advisory, and the reference commits indicate that the fix was integrated after the issue was discovered.
Risk and Exploitability
The EPSS score is <1%, and the vulnerability is not listed in CISA KEV. The CVSS score is 8.8, indicating high severity. The unsynchronized accept queue walk can lead to kernel memory corruption. Based on the description, it is inferred that the most likely attack vector would involve a Bluetooth connection to the target, which can be established remotely or locally depending on the device configuration. An attacker would need to trigger the race condition by rapidly interacting with the Bluetooth stack while a socket is being removed. Because no exploitation proof of concept is documented in the provided references, it is uncertain whether the vulnerability can be reliably triggered in all environments. Nevertheless, the risk of disruptive kernel behavior warrants immediate attention if the affected kernel is in use.
OpenCVE Enrichment
Debian DLA