CVE-2026-43322 Overview
CVE-2026-43322 is a use-after-free vulnerability [CWE-416] in the Linux kernel Bluetooth subsystem, specifically in the hci_sync host controller interface synchronization code. The flaw occurs in le_read_features_complete within net/bluetooth/hci_sync.c, where an hci_conn structure can be freed before the completion handler runs but after hci_le_read_remote_features_sync has executed. As a result, hci_conn_del -> hci_cmd_sync_dequeue fails to prevent access to the freed memory, leading to a slab use-after-free condition detected by KASAN.
Critical Impact
An adjacent-network attacker within Bluetooth range can trigger memory corruption in the kernel, potentially leading to denial of service or privilege escalation on affected Linux systems.
Affected Products
- Linux Kernel (mainline, prior to fix commits 035c25007c9e and 260dc2be643b)
- Linux Kernel 7.0-rc1 through 7.0-rc7 release candidates
- Distributions shipping affected upstream kernels with Bluetooth Low Energy enabled
Discovery Timeline
- 2026-05-08 - CVE-2026-43322 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43322
Vulnerability Analysis
The vulnerability resides in the Bluetooth Low Energy (LE) connection handling logic of the Linux kernel. When the kernel issues an HCI command to read remote LE features via hci_le_read_remote_features_sync, the response is processed asynchronously by the le_read_features_complete callback running on the hci_cmd_sync_work workqueue. The associated hci_conn object can be freed by another path after the command has been dispatched but before the completion handler accesses it.
KASAN reporting shows the freed memory is accessed inside hci_conn_drop, which performs an atomic_dec_and_test on the connection refcount. The original allocation occurs in __hci_conn_add during le_conn_complete_evt event processing, and the free occurs through the device release path via kobject_put and device_release. The synchronization mechanism hci_cmd_sync_dequeue, intended to cancel pending commands when a connection is destroyed, fails to handle the race window where the command has already completed at the controller but the completion callback has not yet run.
Root Cause
The root cause is a race condition between connection teardown and asynchronous HCI command completion processing. The hci_conn reference held by the queued command does not properly extend the object's lifetime across the controller round-trip, allowing the connection to be torn down while a callback referencing it remains scheduled.
Attack Vector
Exploitation requires Bluetooth proximity to a vulnerable host with Bluetooth LE enabled. An attacker can trigger crafted LE connection sequences, including rapid connect and disconnect cycles, to force the race between feature-read command completion and connection destruction. The vulnerability does not require authentication or user interaction.
The vulnerability manifests in the connection lifetime tracking logic of net/bluetooth/hci_sync.c. See the upstream commit references for technical details of the fix that ensures hci_conn lifetime spans the duration of in-flight command completions.
Detection Methods for CVE-2026-43322
Indicators of Compromise
- Kernel log entries containing KASAN: slab-use-after-free in le_read_features_complete or in hci_conn_drop
- Unexpected kernel oops or panic traces referencing hci_cmd_sync_work and net/bluetooth/hci_sync.c
- Bluetooth controller resets, repeated disconnects, or hci0 workqueue stalls without a benign cause
Detection Strategies
- Enable KASAN on test and staging kernels to surface the use-after-free signature during fuzzing or regression testing
- Audit kernel ring buffer output via dmesg for Bluetooth subsystem warnings around LE connection completion events
- Correlate Bluetooth adapter telemetry with system stability events to identify abnormal connect/disconnect storms from nearby devices
Monitoring Recommendations
- Forward journald and kmsg Bluetooth subsystem events to a centralized logging or SIEM pipeline for kernel crash signatures
- Monitor for unauthorized Bluetooth pairing attempts and anomalous LE scanning activity in proximity to sensitive endpoints
- Track installed kernel versions across the Linux fleet and alert when hosts run kernels predating the fix commits
How to Mitigate CVE-2026-43322
Immediate Actions Required
- Apply the upstream kernel patches from commits 035c25007c9e698bef3826070ee34bb6d778020c and 260dc2be643b4a35b27008490c533613e3e53867 or upgrade to a kernel release that includes them
- Disable the Bluetooth stack on systems that do not require it by unloading the bluetooth and btusb modules
- Restrict physical and radio-frequency proximity access to high-value Linux endpoints until patches are deployed
Patch Information
The fix is available through the official Linux kernel stable tree. Refer to the Kernel.org Commit Update and the Kernel.org Commit Reference for the patches that correct the hci_conn lifetime handling in le_read_features_complete. Distribution maintainers should backport these commits to their supported kernel branches.
Workarounds
- Disable Bluetooth at boot by blacklisting the bluetooth module in /etc/modprobe.d/ on systems that do not require wireless connectivity
- Stop and mask the bluetooth.service unit using systemctl on systemd-based distributions to prevent the stack from loading
- Limit LE advertising and connection acceptance through controller configuration on systems where Bluetooth must remain enabled
# Configuration example
# Disable the Bluetooth kernel module persistently
echo "blacklist bluetooth" | sudo tee /etc/modprobe.d/disable-bluetooth.conf
echo "blacklist btusb" | sudo tee -a /etc/modprobe.d/disable-bluetooth.conf
# Stop and mask the Bluetooth service
sudo systemctl stop bluetooth.service
sudo systemctl mask bluetooth.service
# Verify the modules are not loaded
lsmod | grep -E "bluetooth|btusb"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
