The vulnerability resides in the Bluetooth subsystem of the Linux kernel. When the protocol flag HCI_PROTO_DEFER is present, the function hci_conn_request_evt() invokes hci_connect_cfm(conn) without holding the required device lock. Because hci_connect_cfm() assumes the lock is held, a concurrent deletion of the connection object can result in a use‑after‑free, allowing an attacker to corrupt memory or execute arbitrary code. The flaw is a classic use‑after‑free race condition (CWE‑416).

All Linux kernel builds that expose the Bluetooth stack and use the hci_conn_request_evt() path are potentially affected. The specific vulnerable code paths are exercised for SCO (and to a limited extent ISO) connections that use deferred listening. No particular kernel release version is supplied, so any kernel version prior to the commit that introduces the lock hold is vulnerable. System administrators should check whether their kernel includes the commit that fixes the lock withholding.

Because the flaw requires a race condition between an incoming connection request with the defer flag and a concurrent deletion of the same connection object, exploitability is limited to environments where an attacker has sufficient control to trigger both actions, typically a local or privileged attacker. The CVSS score is not available and the EPSS score is marked as not available, therefore the exact quantitative risk cannot be presented. The vulnerability is not listed in the CISA KEV catalog, indicating no known active exploitation at issuance. Nonetheless, a use‑after‑free in the kernel could lead to privilege escalation or system compromise, and should be addressed promptly.