Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: serialize accept_q access

bt_sock_poll() walks the accept queue without synchronization, while
child teardown can unlink the same socket and drop its last reference.
The unsynchronized accept queue walk has existed since the initial
Bluetooth import.

Protect accept_q with a dedicated lock for queue updates and polling.
Also rework bt_accept_dequeue() to take temporary child references under
the queue lock before dropping it and locking the child socket.
Published: 2026-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel Bluetooth subsystem contains a race condition in bt_sock_poll where the accept queue is walked without synchronization while a child socket may be unlinked and its last reference dropped. This unsynchronized access can lead to a use‑after‑free scenario, potentially causing kernel memory corruption or a crash that disrupts entire system operation. The weakness can be exploited to force a worst‑case, attacker‑controlled fault in kernel memory. The vulnerability is classified under CWE‑820.

Affected Systems

All Linux distributions that ship a kernel containing the unpatched Bluetooth code are affected. The issue has existed since the initial Bluetooth import, so it may be present in many kernel releases specific to the advisory, and the reference commits indicate that the fix was integrated after the issue was discovered.

Risk and Exploitability

The EPSS score is <1%, and the vulnerability is not listed in CISA KEV. The CVSS score is 8.8, indicating high severity. The unsynchronized accept queue walk can lead to kernel memory corruption. Based on the description, it is inferred that the most likely attack vector would involve a Bluetooth connection to the target, which can be established remotely or locally depending on the device configuration. An attacker would need to trigger the race condition by rapidly interacting with the Bluetooth stack while a socket is being removed. Because no exploitation proof of concept is documented in the provided references, it is uncertain whether the vulnerability can be reliably triggered in all environments. Nevertheless, the risk of disruptive kernel behavior warrants immediate attention if the affected kernel is in use.

Generated by OpenCVE AI on June 28, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel patch that implements the bt_sock_poll and bt_accept_dequeue fixes linked in the advisory commits.
  • If an immediate kernel update is not available, disable the Bluetooth subsystem or unbind the corresponding kernel module to prevent race condition exploitation.
  • Monitor system logs for kernel panics or unusual restarts that may indicate Bluetooth‑related faults.

Generated by OpenCVE AI on June 28, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-820
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: serialize accept_q access bt_sock_poll() walks the accept queue without synchronization, while child teardown can unlink the same socket and drop its last reference. The unsynchronized accept queue walk has existed since the initial Bluetooth import. Protect accept_q with a dedicated lock for queue updates and polling. Also rework bt_accept_dequeue() to take temporary child references under the queue lock before dropping it and locking the child socket.
Title Bluetooth: serialize accept_q access
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:36.561Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52918

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52918 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:00:21Z

Weaknesses