The Linux kernel Bluetooth subsystem contains a race condition in bt_sock_poll where the accept queue is walked without synchronization while a child socket may be unlinked and its last reference dropped. This unsynchronized access can lead to a use‑after‑free scenario, potentially causing kernel memory corruption or a crash that disrupts entire system operation. The weakness is a classic unsynchronized race condition that can be exploited to force a denial of service or, in the worst case, an attacker‑controlled fault in kernel memory. The vulnerability is classified under CWE‑362 and CWE‑416.

All Linux distributions that ship a kernel containing the unpatched Bluetooth code are affected, regardless of version. The issue has existedSince the initial Bluetooth import, so it is likely present in every kernel released before the fix was applied. No specific version ranges are listed in the advisory, but the reference commits indicate that the fix was integrated after the issue was discovered.

The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The lack of a CVSS score in the reference material makes it difficult to quantify severity precisely, but the potential for a kernel crash gives the vulnerability a high impact level. The most likely attack vector is feasible over a Bluetooth connection to the target, which can be established remotely or locally depending on the device configuration. An attacker would need to trigger the race condition by rapidly interacting with the Bluetooth stack while a socket is being removed. Because no exploitation proof of concept is documented in the provided references, it is uncertain whether the vulnerability can be reliably triggered in all environments. Nevertheless, the risk of disruptive kernel behavior warrants immediate attention if the affected kernel is in use.