Bluetooth: fix memory leak in error path of hci_alloc_dev()
Summary
| CVE | CVE-2026-53252 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-25 09:16:43 UTC |
| Updated | 2026-07-08 16:48:59 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix memory leak in error path of hci_alloc_dev() Early failures in Bluetooth HCI UART configuration leak SRCU percpu memory. When device initialization fails before hci_register_dev() completes, the HCI_UNREGISTER flag is never set. As a result, when the device reference count reaches zero, bt_host_release() evaluates this flag as false and falls back to a direct kfree(hdev). Because hci_release_dev() is bypassed, the SRCU struct initialized early in hci_alloc_dev() is never cleaned up, resulting in a leak of percpu memory. Fix the leak by explicitly calling cleanup_srcu_struct() in the fallback (unregistered) branch of bt_host_release() before freeing the device. |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.001890000 probability, percentile 0.086870000 (date 2026-07-04)
Problem Types: CWE-401
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 90dee0a0ff84fac8accd5be98412b3819f667149 5b7dfca6f852e6b9d809fd0263b5427cc9fb33fd git | Not specified |
| CNA | Linux | Linux | affected c56b177efce8b62798e4d96bdb9867106cb7c4a0 c016118b9e51eeaf5bc93850d4c455a3b583c0aa git | Not specified |
| CNA | Linux | Linux | affected bc0819a25e04cd68ef3568cfa51b63118fea39a7 0622e527a31d4b44737fed5c1a2ac1fc2cfb5184 git | Not specified |
| CNA | Linux | Linux | affected ce23b73f0f27e2dbeb81734a79db710f05aa33c6 bc2efe73c194a74839d7cf57b63880d97e21d309 git | Not specified |
| CNA | Linux | Linux | affected 1d6123102e9fbedc8d25bf4731da6d513173e49e ce4b4cac3c5749b6aa75e62e2991ae2263f2f889 git | Not specified |
| CNA | Linux | Linux | affected 1d6123102e9fbedc8d25bf4731da6d513173e49e f82799407a50af7bcacacf09cc9b279af8fe9b81 git | Not specified |
| CNA | Linux | Linux | affected 1d6123102e9fbedc8d25bf4731da6d513173e49e 37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f git | Not specified |
| CNA | Linux | Linux | affected dd4becd3fd4102696e1c15e6d260a1712a2d8685 git | Not specified |
| CNA | Linux | Linux | affected 0e5c144c557df910ab64d9c25d06399a9a735e65 git | Not specified |
| CNA | Linux | Linux | affected 5.15.209 5.15.210 semver | Not specified |
| CNA | Linux | Linux | affected 6.1.167 6.1.176 semver | Not specified |
| CNA | Linux | Linux | affected 6.6.97 6.6.143 semver | Not specified |
| CNA | Linux | Linux | affected 6.12.36 6.12.94 semver | Not specified |
| CNA | Linux | Linux | affected 5.10.259 5.11 semver | Not specified |
| CNA | Linux | Linux | affected 6.15.5 6.16 semver | Not specified |
| CNA | Linux | Linux | affected 6.16 | Not specified |
| CNA | Linux | Linux | unaffected 6.16 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.210 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.176 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.143 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.94 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.36 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.13 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/bc2efe73c194a74839d7cf57b63880d97e21d309 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/f82799407a50af7bcacacf09cc9b279af8fe9b81 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/ce4b4cac3c5749b6aa75e62e2991ae2263f2f889 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/0622e527a31d4b44737fed5c1a2ac1fc2cfb5184 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/5b7dfca6f852e6b9d809fd0263b5427cc9fb33fd | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/c016118b9e51eeaf5bc93850d4c455a3b583c0aa | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.