Bluetooth: hci_conn: fix potential UAF in create_big_sync

CVE	CVE-2026-46111
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-28 10:16:26 UTC
Updated	2026-05-30 11:17:21 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in create_big_sync Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete(). Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del(). hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way. Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().

Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000180000 probability, percentile 0.051640000 (date 2026-05-29)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	CNA	DECLARED	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected eca0ae4aea66914515e5e3098ea051b518ee5316 6823f730bf195fc296d9edd09e2ca94bc1ff5584 git	Not specified
CNA	Linux	Linux	affected eca0ae4aea66914515e5e3098ea051b518ee5316 1750a2df0eab61dc421a7afae74abdd239a44b85 git	Not specified
CNA	Linux	Linux	affected eca0ae4aea66914515e5e3098ea051b518ee5316 dc34f8d8240f25dd137dc2758ebbcc75e3779142 git	Not specified
CNA	Linux	Linux	affected eca0ae4aea66914515e5e3098ea051b518ee5316 f8eaf92c57ad99358dd372580d5ff87623343a72 git	Not specified
CNA	Linux	Linux	affected eca0ae4aea66914515e5e3098ea051b518ee5316 0beddb0c380bed5f5b8e61ddbe14635bb73d0b41 git	Not specified
CNA	Linux	Linux	affected 6.0	Not specified
CNA	Linux	Linux	unaffected 6.0 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.140 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.90 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.32 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.7 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1-rc3 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/1750a2df0eab61dc421a7afae74abdd239a44b85	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/f8eaf92c57ad99358dd372580d5ff87623343a72	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/6823f730bf195fc296d9edd09e2ca94bc1ff5584	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/0beddb0c380bed5f5b8e61ddbe14635bb73d0b41	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/dc34f8d8240f25dd137dc2758ebbcc75e3779142	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.