CVE-2026-46111
A use-after-free vulnerability exists in the Linux kernel's Bluetooth connection handling code. When creating a Broadcast Isochronous Group (BIG) connection, the kernel can attempt to access a connection object that has already been freed. This occurs because the code doesn't properly validate that a connection still exists before operating on it, and doesn't keep a reference to the connection object while asynchronous operations are in flight. A local attacker with limited privileges could exploit this to crash the system or potentially execute code with elevated privileges.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-24
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in create_big_sync Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete(). Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del(). hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way. Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46111 is a use-after-free (UAF) vulnerability in the Linux kernel's Bluetooth subsystem, specifically in the create_big_sync() and create_big_complete() functions. The vulnerability arises from improper lifecycle management of hci_conn objects across asynchronous boundaries. When create_big_complete() is called, it unconditionally dereferences the connection pointer without verifying the connection is still valid, and without holding a reference that prevents the object from being freed. The fix involves: (1) adding hci_conn_valid() checks in create_big_sync() to detect stale connections; (2) implementing reference counting via hci_conn_get()/hci_conn_put() to keep the connection object allocated during async operations; (3) re-validating the connection under hci_dev_lock() in the completion callback before dereferencing; and (4) handling the -ECANCELED error code appropriately. This pattern mirrors existing safe handling in create_le_conn_complete() and create_pa_complete().
Business impact
Exploitation could lead to kernel panic and system denial of service. In production environments, this could interrupt services relying on Bluetooth connectivity or cause unexpected system restarts. Additionally, depending on memory layout and exploit sophistication, the UAF could potentially be leveraged for privilege escalation or code execution, though such exploitation would require local access and additional techniques. Systems with Bluetooth enabled and unprivileged user access are at elevated risk.
Affected systems
The Linux kernel is affected across multiple versions. The vulnerability impacts systems where Bluetooth is enabled and ISO (Isochronous) connections are supported. Any Linux distribution shipping an unpatched kernel with Bluetooth subsystem support is vulnerable. Embedded systems, IoT devices, and desktops/laptops with Bluetooth chipsets are included in the affected scope.
Exploitability
Exploitation requires local access (AV:L) and no special privileges are needed beyond standard user-level permissions (PR:L). No user interaction is required (UI:N). The attack surface is relatively low compared to network-based vulnerabilities, but the barrier to entry is minimal for local users. Triggering the vulnerability requires manipulating Bluetooth connection state, which could be done through standard Bluetooth management tools or by crafting specific connection sequences. The CVSS score of 7.8 reflects high impact (confidentiality, integrity, and availability all affected) combined with local accessibility.
Remediation
Apply the upstream Linux kernel patch that implements proper reference counting and validation in the BIG creation pathway. The fix ensures connections are validated before use and held with hci_conn_get() during async operations, with corresponding hci_conn_put() calls in completion handlers. Verify against the vendor advisory for exact patched kernel versions applicable to your distribution. Administrators should prioritize kernel updates for systems with Bluetooth enabled and local user access.
Patch guidance
Contact your Linux distribution vendor for patched kernel releases. Upstream kernel patches addressing this issue should be available in stable kernel branches following the original fix. When updating, verify the specific kernel version includes commits addressing create_big_sync() reference counting and hci_conn_valid() checks. Test in a staging environment before production deployment, particularly if Bluetooth ISO functionality is actively used. Monitor kernel changelogs and distribution security advisories for official CVE patches.
Detection guidance
Monitor system logs for BIG connection creation failures and unexpected kernel panics, particularly those occurring during Bluetooth ISO connection establishment. Kernel crash dumps (if available) showing stack traces in create_big_complete() or related Bluetooth connection handling functions may indicate exploitation attempts. Runtime monitoring of Bluetooth connection state transitions and ISO stream creation could detect anomalous behavior. Consider enabling kernel address sanitizer (KASAN) or similar debugging on test systems to catch UAF conditions earlier.
Why prioritize this
This vulnerability merits high priority due to its HIGH CVSS severity (7.8), local accessibility, and the potential for both denial of service and privilege escalation. The lack of privilege escalation requirements and the straightforward triggering mechanism make it practically exploitable. However, its local-only nature means network-facing systems without direct user terminal access face lower immediate risk. Prioritize patching for multi-user systems, shared hosting environments, and systems where untrusted users may have local shell access.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: Attack Vector Local (systems must be locally accessible); Attack Complexity Low (no special conditions required); Privileges Required Low (standard user sufficient); User Interaction None (no user action needed); Scope Unchanged (impact limited to the affected system); and high impact across Confidentiality, Integrity, and Availability (all marked High due to potential code execution and system crash). The score appropriately captures a serious local vulnerability that is practical to exploit but requires initial local access.
Frequently asked questions
Can this vulnerability be exploited remotely over Bluetooth?
No. While the vulnerability exists in Bluetooth code, it requires local system access (AV:L in the CVSS vector). An attacker would need to either have a local user account or direct terminal access to the affected system. Remote Bluetooth exploitation would first require the attacker to establish a local Bluetooth connection and manipulate connection state, which is beyond typical remote attack scenarios.
What is a use-after-free vulnerability and why is it dangerous?
A use-after-free (UAF) occurs when code attempts to access memory that has already been freed and returned to the system. Freed memory may be reused for other purposes, so dereferencing it can corrupt unrelated data structures or potentially allow an attacker to control the freed memory. In this case, the kernel could crash (DoS) or, with careful exploitation, could lead to code execution by poisoning the freed memory with malicious data.
Does this affect all Bluetooth devices or only certain configurations?
The vulnerability specifically affects ISO (Isochronous) Bluetooth connections used for real-time audio/video streaming. Systems using only classic Bluetooth or basic Bluetooth Low Energy (BLE) without ISO support may not be affected, though the code path still exists in modern kernels. If your system doesn't actively use or support BIG (Broadcast Isochronous Group) connections, the practical attack surface is reduced, but the kernel-level code flaw still exists.
What should I do if I cannot immediately patch?
If immediate patching is not possible, reduce exposure by: (1) limiting local user access to systems with Bluetooth enabled; (2) disabling Bluetooth entirely if not needed; (3) restricting Bluetooth management permissions to trusted users only; (4) implementing additional monitoring for unexpected kernel panics or Bluetooth-related errors; (5) prioritizing this update in your patching schedule. However, these are temporary mitigations—upstream patching is the definitive fix.
This analysis is based on the CVE description and publicly available vulnerability data as of the publication date. Actual exploitability and impact may vary depending on kernel configuration, distribution-specific patches, and system architecture. Organizations should verify patch availability against their specific Linux distribution and kernel version. SEC.co does not provide exploit code or detailed weaponization guidance. For the most current information and official patches, consult your Linux distribution's security advisories and the upstream Linux kernel project. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGH
CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGH
CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGH
CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGH
CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGH
CVE-2026-10012: Chrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGH
CVE-2026-10013: Use-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGH
CVE-2026-10016: Use-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGH
CVE-2026-10882: Critical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance