Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53252

CVE-2026-53252: Linux Kernel Bluetooth Memory Leak Issue

CVE-2026-53252 is a memory leak flaw in the Linux kernel Bluetooth subsystem affecting HCI UART configuration. This article covers the technical details, affected versions, potential impact, and mitigation.

Published:

CVE-2026-53252 Overview

CVE-2026-53252 is a memory leak vulnerability in the Linux kernel's Bluetooth subsystem. The flaw exists in the error path of hci_alloc_dev() and affects HCI (Host Controller Interface) UART configuration. When device initialization fails before hci_register_dev() completes, the HCI_UNREGISTER flag is never set, causing bt_host_release() to bypass hci_release_dev() and fall back to a direct kfree(hdev). This leaves the Sleepable Read-Copy-Update (SRCU) struct initialized earlier in hci_alloc_dev() uncleaned, leaking percpu memory on each failed initialization.

Critical Impact

Repeated early-failure initialization of Bluetooth HCI UART devices leaks SRCU percpu memory, contributing to kernel memory exhaustion over time.

Affected Products

  • Linux kernel Bluetooth subsystem (HCI UART driver)
  • Distributions shipping affected kernel versions prior to the patched stable releases
  • Systems using Bluetooth HCI UART transport

Discovery Timeline

  • 2026-06-25 - CVE-2026-53252 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53252

Vulnerability Analysis

The vulnerability resides in the Linux kernel Bluetooth HCI device lifecycle management. hci_alloc_dev() initializes an SRCU struct early during device allocation. Under normal teardown, hci_release_dev() invokes cleanup_srcu_struct() to free the associated percpu data.

When HCI UART initialization fails before hci_register_dev() completes, the device never receives the HCI_UNREGISTER flag. The release callback bt_host_release() checks this flag to determine the cleanup path. With the flag cleared, the function bypasses hci_release_dev() and frees the device directly with kfree(hdev).

This bypass omits cleanup_srcu_struct(), leaving the SRCU percpu allocations orphaned. Each failed initialization permanently leaks memory proportional to the number of CPUs.

Root Cause

The root cause is asymmetric resource management between the allocation and release paths. hci_alloc_dev() initializes the SRCU struct unconditionally, but the cleanup logic in bt_host_release() only invokes the full release routine when HCI_UNREGISTER is set. Devices that fail before registration fall through to a partial cleanup path that does not match the initialization performed.

Attack Vector

The leak triggers when Bluetooth HCI UART device probing fails after hci_alloc_dev() but before hci_register_dev() completes. Local actors with the ability to repeatedly attach, detach, or trigger initialization failures on UART-attached Bluetooth controllers can drive cumulative percpu memory exhaustion. Exploitability is constrained to scenarios with physical or privileged access to Bluetooth UART transport configuration. The fix explicitly calls cleanup_srcu_struct() in the fallback branch of bt_host_release() before freeing the device.

The vulnerability is described in prose because no verified exploit code is published. See the upstream commits referenced below for the canonical patch.

Detection Methods for CVE-2026-53252

Indicators of Compromise

  • Gradual increase in kernel percpu memory consumption visible in /proc/meminfo (Percpu: line) without a corresponding workload change
  • Repeated probe failures from the hci_uart driver in dmesg or journalctl -k output
  • Slab/percpu statistics in /proc/slabinfo showing growth of SRCU-related allocations following Bluetooth initialization failures

Detection Strategies

  • Correlate Bluetooth driver probe failure messages with subsequent percpu memory growth across reboots or hotplug cycles
  • Audit running kernel versions against the patched stable Linux releases referenced in the upstream commits
  • Track kmemleak reports for unreleased SRCU percpu allocations on debug kernels

Monitoring Recommendations

  • Monitor Percpu memory metrics over time and alert on sustained upward trends on systems using Bluetooth UART transport
  • Collect kernel logs for hci_uart initialization failures and trend their frequency
  • Inventory kernel versions across the fleet to identify hosts still running unpatched builds

How to Mitigate CVE-2026-53252

Immediate Actions Required

  • Update affected Linux kernels to the patched stable releases containing the fix to bt_host_release()
  • On systems that do not require Bluetooth, unload the hci_uart and bluetooth modules to eliminate the code path
  • Restrict physical and administrative access to Bluetooth UART hardware to prevent repeated failure-triggering operations

Patch Information

The fix adds an explicit call to cleanup_srcu_struct() in the unregistered fallback branch of bt_host_release() before kfree(hdev). The patch is available across multiple stable trees through the following upstream commits: Kernel Git Commit 0622e52, Kernel Git Commit 37b3009, Kernel Git Commit 5b7dfca, Kernel Git Commit bc2efe7, Kernel Git Commit c016118, Kernel Git Commit ce4b4ca, and Kernel Git Commit f827994.

Workarounds

  • Blacklist the hci_uart module on hosts that do not require UART-attached Bluetooth controllers
  • Disable Bluetooth via systemctl disable --now bluetooth and prevent module autoload until the kernel is patched
  • Reboot systems exhibiting elevated percpu memory consumption to reclaim leaked memory as an interim measure
bash
# Blacklist hci_uart until the kernel is patched
echo 'blacklist hci_uart' | sudo tee /etc/modprobe.d/blacklist-hci_uart.conf
sudo modprobe -r hci_uart 2>/dev/null
sudo update-initramfs -u

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.