CVE-2026-53072 - Vulnerability Details

- Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER

When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls
hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm()
assumes it is held, and if conn is deleted concurrently -> UAF.

Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen,
and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred
listening socket code paths, hci_connect_cfm(conn) is called with
hdev->lock held.

Fix by holding the lock.

Published: 2026-06-24

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`70c464256310e1c3716099b9d02ece4169272f73`	affected	< 60e3f4ff02d1f2d55bfbf2ca32a97285a9771ee4
`70c464256310e1c3716099b9d02ece4169272f73`	affected	< 9d4a6c0f43fc5e4d4f062e8e450e5483eb74176e
`70c464256310e1c3716099b9d02ece4169272f73`	affected	< c7777f534a8018ae4bb1c80d8925af4df588a314
`70c464256310e1c3716099b9d02ece4169272f73`	affected	< 6b4d226d01ab7da0d2027a2a1e3a6079152e5065
`70c464256310e1c3716099b9d02ece4169272f73`	affected	< 541d5bf9b5afaf41090b2a3aa7b47f2db2ff801f
`70c464256310e1c3716099b9d02ece4169272f73`	affected	< 385b2d0468a0871fc716c549fa3b0c257c7dbcb3
`70c464256310e1c3716099b9d02ece4169272f73`	affected	< c27224daf0b08efbb2b24ed64b6139b294f5473a
`70c464256310e1c3716099b9d02ece4169272f73`	affected	< 5c7209a341ff2ac338b2b0375c34a307b37c9ac2

Linux

affected

Version	Status	Constraints
`3.17`	affected	—
`0`	unaffected	< 3.17
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[70c464256310e1c3716099b9d02ece4169272f73,60e3f4ff02d1f2d55bfbf2ca32a97285a9771ee4)`	affected	code_commit	—
`[70c464256310e1c3716099b9d02ece4169272f73,9d4a6c0f43fc5e4d4f062e8e450e5483eb74176e)`	affected	code_commit	—
`[70c464256310e1c3716099b9d02ece4169272f73,c7777f534a8018ae4bb1c80d8925af4df588a314)`	affected	code_commit	—
`[70c464256310e1c3716099b9d02ece4169272f73,6b4d226d01ab7da0d2027a2a1e3a6079152e5065)`	affected	code_commit	—
`[70c464256310e1c3716099b9d02ece4169272f73,541d5bf9b5afaf41090b2a3aa7b47f2db2ff801f)`	affected	code_commit	—
`[70c464256310e1c3716099b9d02ece4169272f73,385b2d0468a0871fc716c549fa3b0c257c7dbcb3)`	affected	code_commit	—
`[70c464256310e1c3716099b9d02ece4169272f73,c27224daf0b08efbb2b24ed64b6139b294f5473a)`	affected	code_commit	—
`[70c464256310e1c3716099b9d02ece4169272f73,5c7209a341ff2ac338b2b0375c34a307b37c9ac2)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.17`	affected	generic	—
`[0,3.17)`	unaffected	generic	—
`[5.10.258,5.11.0)`	unaffected	semver	—
`[5.15.209,5.16.0)`	unaffected	semver	—
`[6.1.175,6.2.0)`	unaffected	semver	—
`[6.6.141,6.7.0)`	unaffected	semver	—
`[6.12.91,6.13.0)`	unaffected	semver	—
`[6.18.33,6.19.0)`	unaffected	semver	—
`[7.0.10,7.1.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00247.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/385b2d0468a0871fc716c549fa3b0c257c7dbcb3
https://git.kernel.org/stable/c/541d5bf9b5afaf41090b2a3aa7b47f2db2ff801f
https://git.kernel.org/stable/c/5c7209a341ff2ac338b2b0375c34a307b37c9ac2
https://git.kernel.org/stable/c/60e3f4ff02d1f2d55bfbf2ca32a97285a9771ee4
https://git.kernel.org/stable/c/6b4d226d01ab7da0d2027a2a1e3a6079152e5065
https://git.kernel.org/stable/c/9d4a6c0f43fc5e4d4f062e8e450e5483eb74176e
https://git.kernel.org/stable/c/c27224daf0b08efbb2b24ed64b6139b294f5473a
https://git.kernel.org/stable/c/c7777f534a8018ae4bb1c80d8925af4df588a314
https://lore.kernel.org/linux-cve-announce/2026062405-CVE-2026-53072-8c50@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-53072
https://www.cve.org/CVERecord?id=CVE-2026-53072

History

Sun, 28 Jun 2026 08:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 26 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026062405-CVE-2026-53072-8c50@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-53072 https://www.cve.org/CVERecord?id=CVE-2026-53072
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm() assumes it is held, and if conn is deleted concurrently -> UAF. Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen, and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred listening socket code paths, hci_connect_cfm(conn) is called with hdev->lock held. Fix by holding the lock.
Title		Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/385b2d0468a0871fc716c549fa3b0c257c7dbcb3 https://git.kernel.org/stable/c/541d5bf9b5afaf41090b2a3aa7b47f2db2ff801f https://git.kernel.org/stable/c/5c7209a341ff2ac338b2b0375c34a307b37c9ac2 https://git.kernel.org/stable/c/60e3f4ff02d1f2d55bfbf2ca32a97285a9771ee4 https://git.kernel.org/stable/c/6b4d226d01ab7da0d2027a2a1e3a6079152e5065 https://git.kernel.org/stable/c/9d4a6c0f43fc5e4d4f062e8e450e5483eb74176e https://git.kernel.org/stable/c/c27224daf0b08efbb2b24ed64b6139b294f5473a https://git.kernel.org/stable/c/c7777f534a8018ae4bb1c80d8925af4df588a314

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:13.570Z

Updated: 2026-06-28T06:38:58.197Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53072

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53072 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses

CWE-364

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object