CVE-2026-53276 is a vulnerability in Linux Kernel
Published on June 25, 2026
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer
In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is
dropped:
bis = iso_pi(sk)->conn->hcon;
/* Release the socket before lookups since that requires hci_dev_lock
* which shall not be acquired while holding sock_lock for proper
* ordering.
*/
release_sock(sk);
hci_dev_lock(bis->hdev);
During the unlocked window, could a concurrent close() destroy the connection
and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory
after it is freed, fix this by using the hdev reference which was safely
acquired via iso_conn_get_hdev().
Products Associated with CVE-2026-53276
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version d3413703d5f8b7d1e6f514f9440ed5da1bc30796 and below d324b8aa20bd3c3394e3647dc22491d88f3f4e7a is affected.
- Version d3413703d5f8b7d1e6f514f9440ed5da1bc30796 and below f50331f2a1441ec49988832c3a95f2edacc47322 is affected.
- Version 6.19 is affected.
- Before 6.19 is unaffected.
- Version 7.0.13, <= 7.0.* is unaffected.
- Version 7.1, <= * is unaffected.