{"api_version":"1","generated_at":"2026-05-11T11:02:45+00:00","cve":"CVE-2026-43322","urls":{"html":"https://cve.report/CVE-2026-43322","api":"https://cve.report/api/cve/CVE-2026-43322.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43322","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43322"},"summary":{"title":"Bluetooth: hci_sync: Fix UAF in le_read_features_complete","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Fix UAF in le_read_features_complete\n\nThis fixes the following backtrace caused by hci_conn being freed\nbefore le_read_features_complete but after\nhci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue\nis not able to prevent it:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\nBUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]\nBUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]\nBUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344\nWrite of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52\n\nCPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:194 [inline]\n kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]\n hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]\n le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344\n hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421\n kthread+0x3c5/0x780 kernel/kthread.c:463\n ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n </TASK>\n\nAllocated by task 5932:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:400 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417\n kmalloc_noprof include/linux/slab.h:957 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963\n hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084\n le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714\n hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861\n hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408\n hci_event_func net/bluetooth/hci_event.c:7716 [inline]\n hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773\n hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421\n kthread+0x3c5/0x780 kernel/kthread.c:463\n ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nFreed by task 5932:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587\n kasan_save_free_info mm/kasan/kasan.h:406 [inline]\n poison_slab_object mm/kasan/common.c:252 [inline]\n __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284\n kasan_slab_free include/linux/kasan.h:234 [inline]\n slab_free_hook mm/slub.c:2540 [inline]\n slab_free mm/slub.c:6663 [inline]\n kfree+0x2f8/0x6e0 mm/slub.c:6871\n device_release+0xa4/0x240 drivers/base/core.c:2565\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1e7/0x590 lib/kobject.\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-08 14:16:40","updated_at":"2026-05-11 08:16:09"},"problem_types":[],"metrics":[{"version":"3.1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://git.kernel.org/stable/c/260dc2be643b4a35b27008490c533613e3e53867","name":"https://git.kernel.org/stable/c/260dc2be643b4a35b27008490c533613e3e53867","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/035c25007c9e698bef3826070ee34bb6d778020c","name":"https://git.kernel.org/stable/c/035c25007c9e698bef3826070ee34bb6d778020c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43322","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43322","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a106e50be74b0896583f4d010a69f9806e4194f4 260dc2be643b4a35b27008490c533613e3e53867 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a106e50be74b0896583f4d010a69f9806e4194f4 035c25007c9e698bef3826070ee34bb6d778020c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.19","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.12 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"43322","cve":"CVE-2026-43322","epss":"0.000180000","percentile":"0.050890000","score_date":"2026-05-10","updated_at":"2026-05-11 00:14:41"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/bluetooth/hci_sync.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"260dc2be643b4a35b27008490c533613e3e53867","status":"affected","version":"a106e50be74b0896583f4d010a69f9806e4194f4","versionType":"git"},{"lessThan":"035c25007c9e698bef3826070ee34bb6d778020c","status":"affected","version":"a106e50be74b0896583f4d010a69f9806e4194f4","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/bluetooth/hci_sync.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.19"},{"lessThan":"6.19","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.12","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.12","versionStartIncluding":"6.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.19","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Fix UAF in le_read_features_complete\n\nThis fixes the following backtrace caused by hci_conn being freed\nbefore le_read_features_complete but after\nhci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue\nis not able to prevent it:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\nBUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]\nBUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]\nBUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344\nWrite of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52\n\nCPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:194 [inline]\n kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]\n hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]\n le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344\n hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421\n kthread+0x3c5/0x780 kernel/kthread.c:463\n ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n </TASK>\n\nAllocated by task 5932:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:400 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417\n kmalloc_noprof include/linux/slab.h:957 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963\n hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084\n le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714\n hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861\n hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408\n hci_event_func net/bluetooth/hci_event.c:7716 [inline]\n hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773\n hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421\n kthread+0x3c5/0x780 kernel/kthread.c:463\n ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nFreed by task 5932:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587\n kasan_save_free_info mm/kasan/kasan.h:406 [inline]\n poison_slab_object mm/kasan/common.c:252 [inline]\n __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284\n kasan_slab_free include/linux/kasan.h:234 [inline]\n slab_free_hook mm/slub.c:2540 [inline]\n slab_free mm/slub.c:6663 [inline]\n kfree+0x2f8/0x6e0 mm/slub.c:6871\n device_release+0xa4/0x240 drivers/base/core.c:2565\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1e7/0x590 lib/kobject.\n---truncated---"}],"metrics":[{"cvssV3_1":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"providerMetadata":{"dateUpdated":"2026-05-11T06:33:09.997Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/260dc2be643b4a35b27008490c533613e3e53867"},{"url":"https://git.kernel.org/stable/c/035c25007c9e698bef3826070ee34bb6d778020c"}],"title":"Bluetooth: hci_sync: Fix UAF in le_read_features_complete","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43322","datePublished":"2026-05-08T13:31:07.436Z","dateReserved":"2026-05-01T14:12:56.001Z","dateUpdated":"2026-05-11T06:33:09.997Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-08 14:16:40","lastModifiedDate":"2026-05-11 08:16:09","problem_types":[],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43322","Ordinal":"1","Title":"Bluetooth: hci_sync: Fix UAF in le_read_features_complete","CVE":"CVE-2026-43322","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43322","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Fix UAF in le_read_features_complete\n\nThis fixes the following backtrace caused by hci_conn being freed\nbefore le_read_features_complete but after\nhci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue\nis not able to prevent it:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\nBUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]\nBUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]\nBUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344\nWrite of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52\n\nCPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:194 [inline]\n kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]\n hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]\n le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344\n hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421\n kthread+0x3c5/0x780 kernel/kthread.c:463\n ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n </TASK>\n\nAllocated by task 5932:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:400 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417\n kmalloc_noprof include/linux/slab.h:957 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963\n hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084\n le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714\n hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861\n hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408\n hci_event_func net/bluetooth/hci_event.c:7716 [inline]\n hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773\n hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421\n kthread+0x3c5/0x780 kernel/kthread.c:463\n ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nFreed by task 5932:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587\n kasan_save_free_info mm/kasan/kasan.h:406 [inline]\n poison_slab_object mm/kasan/common.c:252 [inline]\n __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284\n kasan_slab_free include/linux/kasan.h:234 [inline]\n slab_free_hook mm/slub.c:2540 [inline]\n slab_free mm/slub.c:6663 [inline]\n kfree+0x2f8/0x6e0 mm/slub.c:6871\n device_release+0xa4/0x240 drivers/base/core.c:2565\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1e7/0x590 lib/kobject.\n---truncated---","Type":"Description","Title":"Bluetooth: hci_sync: Fix UAF in le_read_features_complete"}]}}}