CVE-2026-53252 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: fix memory leak in error path of hci_alloc_dev()

Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.

When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).

Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.

Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.

Published: 2026-06-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A failure in the Bluetooth HCI UART initialization path in the Linux kernel can cause the SRCU structure allocated by hci_alloc_dev() not to be cleaned up when bt_host_release() is invoked before hci_register_dev() succeeds. The missing cleanup leaves per‑CPU memory allocated, which steadily accumulates as the device is repeatedly attempted to be provisioned and fails. This improper release of resources (CWE‑687) can result in kernel memory exhaustion, ultimately bringing the system to a denial‑of‑service state.

Affected Systems

All Linux kernel builds that include the Bluetooth subsystem prior to the fix commit are affected. The vulnerability exists in every distribution that ships the unsupported kernel version; any vendor using a kernel older than the applied patch is at risk.

Risk and Exploitability

The CVSS score is not publicly listed, and EPSS is not available, but the lack of this vulnerability in the CISA KEV catalog and the absence of a known remote exploitation path suggests a moderate risk. An attacker would need to force repeated HCI device initialization failures, which typically requires local or privileged access; the attack vector is therefore inferred to be local or privileged rather than remote. The primary impact is availability‑downtime due to memory exhaustion rather than confidentiality or integrity compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`90dee0a0ff84fac8accd5be98412b3819f667149`	affected	< 5b7dfca6f852e6b9d809fd0263b5427cc9fb33fd
`c56b177efce8b62798e4d96bdb9867106cb7c4a0`	affected	< c016118b9e51eeaf5bc93850d4c455a3b583c0aa
`bc0819a25e04cd68ef3568cfa51b63118fea39a7`	affected	< 0622e527a31d4b44737fed5c1a2ac1fc2cfb5184
`ce23b73f0f27e2dbeb81734a79db710f05aa33c6`	affected	< bc2efe73c194a74839d7cf57b63880d97e21d309
`1d6123102e9fbedc8d25bf4731da6d513173e49e`	affected	< ce4b4cac3c5749b6aa75e62e2991ae2263f2f889
`1d6123102e9fbedc8d25bf4731da6d513173e49e`	affected	< f82799407a50af7bcacacf09cc9b279af8fe9b81
`1d6123102e9fbedc8d25bf4731da6d513173e49e`	affected	< 37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f
`dd4becd3fd4102696e1c15e6d260a1712a2d8685`	affected	—
`0e5c144c557df910ab64d9c25d06399a9a735e65`	affected	—
`5.15.209`	affected	< 5.15.210
`6.1.167`	affected	< 6.1.176
`6.6.97`	affected	< 6.6.143
`6.12.36`	affected	< 6.12.94
`5.10.259`	affected	< 5.11
`6.15.5`	affected	< 6.16

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to a kernel version that includes the cleanup_srcu_struct() fix for hci_alloc_dev()
Reboot the system after upgrading to ensure the new code path is active
Verify per‑CPU memory usage and the number of active Bluetooth HCI devices to confirm the leak has been resolved

Generated by OpenCVE AI on June 25, 2026 at 12:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00189.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0622e527a31d4b44737fed5c1a2ac1fc2cfb5184
https://git.kernel.org/stable/c/37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f
https://git.kernel.org/stable/c/5b7dfca6f852e6b9d809fd0263b5427cc9fb33fd
https://git.kernel.org/stable/c/bc2efe73c194a74839d7cf57b63880d97e21d309
https://git.kernel.org/stable/c/c016118b9e51eeaf5bc93850d4c455a3b583c0aa
https://git.kernel.org/stable/c/ce4b4cac3c5749b6aa75e62e2991ae2263f2f889
https://git.kernel.org/stable/c/f82799407a50af7bcacacf09cc9b279af8fe9b81

History

Thu, 25 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-687

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix memory leak in error path of hci_alloc_dev() Early failures in Bluetooth HCI UART configuration leak SRCU percpu memory. When device initialization fails before hci_register_dev() completes, the HCI_UNREGISTER flag is never set. As a result, when the device reference count reaches zero, bt_host_release() evaluates this flag as false and falls back to a direct kfree(hdev). Because hci_release_dev() is bypassed, the SRCU struct initialized early in hci_alloc_dev() is never cleaned up, resulting in a leak of percpu memory. Fix the leak by explicitly calling cleanup_srcu_struct() in the fallback (unregistered) branch of bt_host_release() before freeing the device.
Title		Bluetooth: fix memory leak in error path of hci_alloc_dev()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0622e527a31d4b44737fed5c1a2ac1fc2cfb5184 https://git.kernel.org/stable/c/37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f https://git.kernel.org/stable/c/5b7dfca6f852e6b9d809fd0263b5427cc9fb33fd https://git.kernel.org/stable/c/bc2efe73c194a74839d7cf57b63880d97e21d309 https://git.kernel.org/stable/c/c016118b9e51eeaf5bc93850d4c455a3b583c0aa https://git.kernel.org/stable/c/ce4b4cac3c5749b6aa75e62e2991ae2263f2f889 https://git.kernel.org/stable/c/f82799407a50af7bcacacf09cc9b279af8fe9b81

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:43.951Z

Updated: 2026-06-25T08:39:43.951Z

Reserved: 2026-06-09T07:44:35.394Z

Link: CVE-2026-53252

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T12:15:03Z

Weaknesses

CWE-687
Function Call With Incorrectly Specified Argument Value

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object