HarborGuard / CVE
Back to search
HIGHCVE-2026-46111Published Modified CNA Linux

CVE-2026-46111: Bluetooth: hci_conn: fix potential UAF in create_big_sync

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in create_big_sync Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete(). Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del(). hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way. Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's Bluetooth HCI connection handling, specifically in the create_big_sync() function within hci_conn. An attacker with a low-privilege local account can trigger the flaw without any victim interaction. Successful exploitation gives the attacker full read, write, and crash capability over the affected system. Patched-image rebuilds at the fix versions (6.6.140 and 6.12.90, among others) are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that carry the affected kernel versions. Any image in a customer registry or CI pipeline running an affected Linux kernel version is flagged automatically.

Available
Triage

HarborGuard triage is capable of scoring this CVE at CVSS 7.8 HIGH and weighting it against each environment's compliance policy to reflect local risk tolerance. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at the fix versions (6.6.140, 6.12.90, or the corresponding commit SHAs) is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the vulnerability; no admin or elevated credentials are needed.

  • Victim interactionNot required

    No user interaction is required; the attacker can exploit the flaw entirely on their own.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions.

Blast Radius

  • A successful attacker reads arbitrary kernel memory, exposing sensitive data such as credentials, keys, or session state held in kernel space.
  • A successful attacker writes to arbitrary kernel memory, allowing modification of kernel data structures, security policy, or process credentials.
  • A successful attacker can crash the affected system by corrupting kernel state through the use-after-free, causing a denial of service.
  • The combination of read, write, and crash primitives makes privilege escalation to root practical from any low-privilege local account.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46111 is active across all connected registries and pipelines, with matching against both upstream base images and custom-built images that include an affected kernel. For environments running a vulnerable kernel version, a patched-image rebuild at 6.6.140, 6.12.90, or the corresponding upstream commit SHAs is available. For customers who opt into auto-remediation, HarborGuard initiates a rebuild, executes a regression test run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review, the finding is queued at HIGH severity with full CVSS detail for analyst disposition.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

00beddb0c380bed5f5b8e61ddbe14635bb73d0b411750a2df0eab61dc421a7afae74abdd239a44b856.6.1406.12.906.18.326823f730bf195fc296d9edd09e2ca94bc1ff55847.0.77.1-rc3dc34f8d8240f25dd137dc2758ebbcc75e3779142f8eaf92c57ad99358dd372580d5ff87623343a72
Affected packages
  • Linux / Linux
    < 6823f730bf195fc296d9edd09e2ca94bc1ff5584 (from eca0ae4aea66914515e5e3098ea051b518ee5316) · < 1750a2df0eab61dc421a7afae74abdd239a44b85 (from eca0ae4aea66914515e5e3098ea051b518ee5316) · < dc34f8d8240f25dd137dc2758ebbcc75e3779142 (from eca0ae4aea66914515e5e3098ea051b518ee5316) · < f8eaf92c57ad99358dd372580d5ff87623343a72 (from eca0ae4aea66914515e5e3098ea051b518ee5316) · < 0beddb0c380bed5f5b8e61ddbe14635bb73d0b41 (from eca0ae4aea66914515e5e3098ea051b518ee5316)
  • Linux / Linux
    6.0
    Fixed in 0, 6.6.140, 6.12.90, 6.18.32, 7.0.7, 7.1-rc3
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References