SB2026062666 - Use-after-free in Linux kernel bluetooth rfcomm
Published: June 26, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Use-after-free (CVE-ID: CVE-2026-53256)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in rfcomm_connect_ind() and rfcomm_get_sock_by_channel() when handling RFCOMM connection indications for a listener socket during a concurrent close. A remote attacker can trigger a race condition to cause a denial of service.
The issue occurs in the Linux kernel Bluetooth RFCOMM socket handling path when a listener socket is closed while a child socket is being queued, and KASAN reported the resulting slab-use-after-free in lock_sock_nested().
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/1f73f92f66251065a5f39b09a47cf05ea14d3107
- https://git.kernel.org/stable/c/43c441edacf953b39517a44f5e5e10a93618b226
- https://git.kernel.org/stable/c/6f4462d12133106460d7c046b95aad2491e3fddf
- https://git.kernel.org/stable/c/8802413ce63175fb522a2bd609fb043a3550c720
- https://git.kernel.org/stable/c/a07d741c077d4e34b16458241a94d29039386553
- https://git.kernel.org/stable/c/b0e33e409715c617e2a20f46f99aa5403a14dfda
- https://git.kernel.org/stable/c/de31973ef00e5aa55496f84cf6a44bb157a34e02
- https://git.kernel.org/stable/c/f5ec76bdbeb80f75ad0be204371afffee0f8fac8