CVE-2026-53251 Overview
CVE-2026-53251 is a reference count leak in the Linux kernel Bluetooth Isochronous (ISO) subsystem. The flaw resides in the iso_conn_big_sync code path, where hci_get_route() returns a reference-counted hci_dev pointer obtained via hci_dev_hold(). The function exits on both success and error paths without ever calling the matching release, leaking the device reference.
Kernel maintainers resolved the issue across multiple stable branches via the commits referenced in the kernel.org stable tree.
Critical Impact
Repeated execution of the affected ISO connection path leaks hci_dev references, leading to resource exhaustion and potential denial of service on systems exposing Bluetooth ISO functionality.
Affected Products
- Linux kernel versions containing the iso_conn_big_sync implementation prior to the fix
- Distributions tracking mainline and stable kernel branches that include Bluetooth ISO support
- Systems with CONFIG_BT and Bluetooth LE Audio / Broadcast Isochronous Group (BIG) functionality enabled
Discovery Timeline
- 2026-06-25 - CVE-2026-53251 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53251
Vulnerability Analysis
The vulnerability is a kernel reference leak in the Bluetooth ISO connection logic. The Linux Bluetooth core uses reference counting on struct hci_dev to manage the lifecycle of HCI controller objects. Callers obtain a reference through hci_get_route(), which internally invokes hci_dev_hold(), and must balance it with a corresponding hci_dev_put() once the device is no longer needed.
In the iso_conn_big_sync() function, the acquired hci_dev pointer is used to perform Broadcast Isochronous Group synchronization. Both the success path and the error paths return without releasing the reference. Each invocation of the affected path therefore increments the hci_dev refcount permanently.
Over time, leaked references prevent the hci_dev structure from being freed when the controller is removed or the module is unloaded. This produces gradual kernel memory growth and can pin driver state, ultimately resulting in denial of service. The EPSS score for this issue is approximately 0.175%, reflecting low observed exploitation likelihood, but local triggering of the path remains feasible on systems exposing ISO sockets.
Root Cause
The root cause is missing reference cleanup. hci_get_route() returns a held reference, and the contract requires the caller to release it via hci_dev_put(). The iso_conn_big_sync() implementation did not include this release on any exit path, breaking the reference counting invariant for hci_dev.
Attack Vector
An attacker or unprivileged local process able to open an ISO socket and trigger iso_conn_big_sync repeatedly can exhaust resources tied to hci_dev objects. The flaw is a memory and resource management defect rather than a memory corruption primitive, so impact is limited to availability and stability rather than code execution.
No verified public exploit code is available. The technical fix is published in the kernel stable commits referenced below; readers should consult the kernel commit history for the precise diff that adds the missing hci_dev_put() call.
Detection Methods for CVE-2026-53251
Indicators of Compromise
- Steadily increasing kernel memory attributable to Bluetooth subsystem allocations without a corresponding workload change.
- hci_dev structures that fail to release on controller removal, observable as lingering hciX references in /sys/class/bluetooth/.
- Failures or hangs during rmmod of Bluetooth driver modules after extensive ISO socket activity.
Detection Strategies
- Compare the running kernel version against the fixed stable releases referenced in the kernel.org commits for this CVE.
- Audit endpoints with Bluetooth LE Audio or BIG functionality enabled and confirm patched kernels are deployed.
- Use kernel tracing (ftrace, bpftrace) to instrument hci_dev_hold and hci_dev_put and detect imbalanced calls during ISO socket operations.
Monitoring Recommendations
- Monitor kernel memory growth on Bluetooth-enabled hosts using /proc/meminfo and slab statistics over time.
- Alert on repeated iso_conn_big_sync invocations from non-privileged processes through audit or eBPF telemetry.
- Track kernel package versions across the fleet to confirm timely application of stable updates that include this fix.
How to Mitigate CVE-2026-53251
Immediate Actions Required
- Update the Linux kernel to a stable release that includes the fix commits referenced in the NVD entry.
- Restrict Bluetooth ISO socket access to trusted users on multi-tenant systems until the patch is applied.
- Disable Bluetooth on hosts that do not require it, using systemctl disable --now bluetooth and unloading the bluetooth module.
Patch Information
The fix adds the missing hci_dev_put() call to release the reference acquired by hci_get_route() in iso_conn_big_sync. Patched commits are available at the primary stable tree commit, with backports at commit 23e8eb16, commit 33d677d2, and commit 4bbec25f. Distribution-provided kernel updates should be applied through the standard package manager.
Workarounds
- Blocklist the bluetooth kernel module on systems that do not require Bluetooth functionality.
- Disable LE Audio and BIG features in userspace stacks such as BlueZ where configuration permits.
- Limit access to AF_BLUETOOTH sockets through Linux capabilities and namespace isolation for untrusted workloads.
# Configuration example: disable Bluetooth subsystem until kernel is patched
sudo systemctl stop bluetooth.service
sudo systemctl disable bluetooth.service
echo 'blacklist bluetooth' | sudo tee /etc/modprobe.d/blacklist-bluetooth.conf
echo 'blacklist btusb' | sudo tee -a /etc/modprobe.d/blacklist-bluetooth.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

