HIGHCVE-2026-46056Published Modified CNA Linux
CVE-2026-46056: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage in both handlers. Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
001a6431766c35dfedb86e0cb5d3fc80c6d604a47204028af77a265e31ceb4ba7f643349a3cca72b26.6.1406.12.866.18.277.0.47.1-rc185fa3512048793076eef658f66489112dcc919938c6443bb9257b780986fb67ec08565bf48ecb8d7e08d75753db17aa943d7622f09d9c217b5bfd3b8
Affected packages
- Linux / Linux< 204028af77a265e31ceb4ba7f643349a3cca72b2 (from 92a25256f142d55e25f9959441cea6ddeabae57e) · < 01a6431766c35dfedb86e0cb5d3fc80c6d604a47 (from 92a25256f142d55e25f9959441cea6ddeabae57e) · < e08d75753db17aa943d7622f09d9c217b5bfd3b8 (from 92a25256f142d55e25f9959441cea6ddeabae57e) · < 8c6443bb9257b780986fb67ec08565bf48ecb8d7 (from 92a25256f142d55e25f9959441cea6ddeabae57e) · < 85fa3512048793076eef658f66489112dcc91993 (from 92a25256f142d55e25f9959441cea6ddeabae57e)
- Linux / Linux3.7Fixed in 0, 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H