Use-after-free in Linux kernel - CVE-2026-53256
Published: June 26, 2026
Linux kernel
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in rfcomm_connect_ind() and rfcomm_get_sock_by_channel() when handling RFCOMM connection indications for a listener socket during a concurrent close. A remote attacker can trigger a race condition to cause a denial of service.
The issue occurs in the Linux kernel Bluetooth RFCOMM socket handling path when a listener socket is closed while a child socket is being queued, and KASAN reported the resulting slab-use-after-free in lock_sock_nested().
How to mitigate CVE-2026-53256
Sources
- https://git.kernel.org/stable/c/1f73f92f66251065a5f39b09a47cf05ea14d3107
- https://git.kernel.org/stable/c/43c441edacf953b39517a44f5e5e10a93618b226
- https://git.kernel.org/stable/c/6f4462d12133106460d7c046b95aad2491e3fddf
- https://git.kernel.org/stable/c/8802413ce63175fb522a2bd609fb043a3550c720
- https://git.kernel.org/stable/c/a07d741c077d4e34b16458241a94d29039386553
- https://git.kernel.org/stable/c/b0e33e409715c617e2a20f46f99aa5403a14dfda
- https://git.kernel.org/stable/c/de31973ef00e5aa55496f84cf6a44bb157a34e02
- https://git.kernel.org/stable/c/f5ec76bdbeb80f75ad0be204371afffee0f8fac8