CVE-2026-46056 Overview
CVE-2026-46056 is a use-after-free vulnerability in the Linux kernel's Bluetooth subsystem. The flaw resides in the Secure Simple Pairing (SSP) passkey event handlers within hci_event.c. Specifically, the functions hci_user_passkey_notify_evt() and hci_keypress_notify_evt() performed hci_conn lookups and field accesses without holding the hdev lock. A concurrent code path could free the connection structure while these handlers accessed it, producing a classic use-after-free condition [CWE-416].
Critical Impact
Concurrent freeing of an hci_conn structure during SSP passkey event processing can lead to kernel memory corruption, potentially enabling denial of service or local privilege escalation on systems with active Bluetooth pairing.
Affected Products
- Linux kernel Bluetooth subsystem (net/bluetooth/hci_event.c)
- Linux distributions shipping affected stable kernel branches prior to the fix
- Systems exposing Bluetooth with SSP pairing enabled
Discovery Timeline
- 2026-05-27 - CVE-2026-46056 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46056
Vulnerability Analysis
The Linux kernel Bluetooth Host Controller Interface (HCI) layer processes events from controllers, including SSP passkey notifications. Two event handlers, hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), looked up an hci_conn object by Bluetooth device address and then accessed fields on that object. The original code did not hold hci_dev_lock across the full lookup-and-use sequence. Another kernel context could complete connection teardown and free the hci_conn structure between the lookup and the field dereference. The patch extends the hci_dev_lock critical section to cover all conn usage in both handlers and routes early exits through a common unlock path to preserve existing keypress notification behavior.
Root Cause
The root cause is missing synchronization. The hci_conn object lifetime is governed by hdev locking, but the SSP passkey handlers accessed the connection outside that lock. This created a race window where a concurrent disconnect or cleanup path could free the object while the event handler still held a reference to it.
Attack Vector
An attacker within Bluetooth range, or a local actor able to influence Bluetooth events, can trigger SSP passkey notification events while initiating or tearing down a pairing session. Winning the race causes the kernel to dereference freed memory. The vulnerability requires Bluetooth to be active and SSP pairing flows to be exercised. The NVD record does not provide a CVSS vector or attack complexity rating at this time.
No public exploitation code is referenced in the advisory. The fix is published as upstream kernel commits, including 01a64317, 204028af, 85fa3512, 8c6443bb, and e08d7575.
Detection Methods for CVE-2026-46056
Indicators of Compromise
- Kernel oops or panic messages referencing hci_user_passkey_notify_evt or hci_keypress_notify_evt in dmesg or journalctl -k output.
- KASAN use-after-free reports involving hci_conn structures on kernels built with sanitizers.
- Unexpected Bluetooth daemon (bluetoothd) restarts or crashes coinciding with pairing attempts.
Detection Strategies
- Inventory kernel versions across Linux endpoints and compare against the fixed stable branches referenced in the upstream commits.
- Enable kernel crash collection (kdump, pstore) to capture stack traces involving Bluetooth event handlers.
- Correlate Bluetooth pairing attempts in audit logs with kernel ring buffer warnings to identify race-triggered failures.
Monitoring Recommendations
- Forward dmesg and journald kernel messages to a central log platform and alert on Bluetooth subsystem oops signatures.
- Monitor for repeated Bluetooth pairing requests from untrusted devices, which may indicate attempts to trigger the race.
- Track kernel package versions through configuration management and flag hosts running unpatched builds.
How to Mitigate CVE-2026-46056
Immediate Actions Required
- Apply the latest stable kernel update from your Linux distribution that includes the upstream fix commits.
- Disable the Bluetooth stack on systems that do not require it by stopping and masking the bluetooth.service unit.
- Restrict Bluetooth discoverability and pairing on systems that must keep the radio active.
Patch Information
The vulnerability is fixed by extending the hci_dev_lock critical section across all hci_conn access in both SSP passkey event handlers. The upstream patches are available as the following commits: Linux Kernel Commit 01a64317, Linux Kernel Commit 204028af, Linux Kernel Commit 85fa3512, Linux Kernel Commit 8c6443bb, and Linux Kernel Commit e08d7575.
Workarounds
- Unload the Bluetooth kernel modules (btusb, bluetooth) on hosts where Bluetooth is not required.
- Block untrusted Bluetooth devices from initiating pairing by configuring bluetoothd to require explicit authorization.
- Set Bluetooth adapters to non-discoverable mode to reduce the attack surface until patches are deployed.
# Disable Bluetooth where not required
sudo systemctl stop bluetooth.service
sudo systemctl mask bluetooth.service
sudo modprobe -r btusb bluetooth
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
