Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: fix memory leak in error path of hci_alloc_dev()

Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.

When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).

Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.

Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A failure in the Bluetooth HCI UART initialization path in the Linux kernel can cause the SRCU structure allocated by hci_alloc_dev() not to be cleaned up when bt_host_release() is invoked before hci_register_dev() succeeds. The missing cleanup leaves per‑CPU memory allocated, which steadily accumulates as the device is repeatedly attempted to be provisioned and fails. This improper release of resources (CWE‑911) can result in kernel memory exhaustion, ultimately bringing the system to a denial‑of‑service state.

Affected Systems

All Linux kernel builds that include the Bluetooth subsystem prior to the fix commit are affected. The vulnerability exists in every distribution that ships the unsupported kernel version; any vendor using a kernel older than the applied patch is at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity, the EPSS score of < 1% suggests a low vulnerability is not listed in CISA KEV. The likely attack vector is local or privileged access required to force repeated HCI device initialization failures. The primary impact is memory exhaustion rather than confidentiality or integrity compromise.

Generated by OpenCVE AI on June 26, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version containing the cleanup_srcu_struct() fix for hci_alloc_dev()
  • Reboot the system to activate the updated kernel
  • Disable or remove any unused Bluetooth HCI UART devices to limit interaction with the affected code path

Generated by OpenCVE AI on June 26, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-687

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-687

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix memory leak in error path of hci_alloc_dev() Early failures in Bluetooth HCI UART configuration leak SRCU percpu memory. When device initialization fails before hci_register_dev() completes, the HCI_UNREGISTER flag is never set. As a result, when the device reference count reaches zero, bt_host_release() evaluates this flag as false and falls back to a direct kfree(hdev). Because hci_release_dev() is bypassed, the SRCU struct initialized early in hci_alloc_dev() is never cleaned up, resulting in a leak of percpu memory. Fix the leak by explicitly calling cleanup_srcu_struct() in the fallback (unregistered) branch of bt_host_release() before freeing the device.
Title Bluetooth: fix memory leak in error path of hci_alloc_dev()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:43.951Z

Reserved: 2026-06-09T07:44:35.394Z

Link: CVE-2026-53252

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53252 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses
  • CWE-911

    Improper Update of Reference Count