Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53276

CVE-2026-53276: Linux Kernel Bluetooth Use-After-Free

CVE-2026-53276 is a use-after-free vulnerability in the Linux kernel Bluetooth ISO component that could allow memory corruption. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-53276 Overview

CVE-2026-53276 is a use-after-free vulnerability in the Linux kernel's Bluetooth Isochronous (ISO) socket subsystem. The flaw exists in the iso_sock_rebind_bc() function, where the bis pointer referencing an hci_conn structure is cached before the socket lock is released. During the unlocked window between release_sock(sk) and hci_dev_lock(bis->hdev), a concurrent close() operation can destroy the connection and free the underlying structure. A subsequent dereference of the freed memory results in a use-after-free condition affecting kernel memory.

Critical Impact

Local exploitation could lead to kernel memory corruption, denial of service, or potential privilege escalation through racing Bluetooth socket operations.

Affected Products

  • Linux kernel (Bluetooth ISO subsystem)
  • Distributions shipping vulnerable kernel versions prior to the upstream fix
  • Systems with Bluetooth Low Energy Audio (BIS) functionality enabled

Discovery Timeline

  • 2026-06-25 - CVE-2026-53276 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53276

Vulnerability Analysis

The vulnerability resides in the Linux Bluetooth ISO (Isochronous) socket implementation, which supports Bluetooth LE Audio Broadcast Isochronous Streams. The function iso_sock_rebind_bc() performs operations that require both the socket lock and the HCI device lock. To maintain correct lock ordering, the code intentionally drops the socket lock before acquiring hci_dev_lock(). However, the function caches a pointer to the hci_conn structure (bis) before this release, then later accesses bis->hdev after re-acquiring locks.

This design creates a race window. While the socket lock is held by neither the rebind path nor a concurrent close path, another thread invoking close() on the same socket can tear down the connection and free the hci_conn object. When iso_sock_rebind_bc() resumes and dereferences bis->hdev, it touches freed kernel memory.

Root Cause

The root cause is a lock-ordering compromise that introduced a time-of-check to time-of-use (TOCTOU) gap. The cached bis pointer is not refcounted across the socket lock release, leaving it dangling when concurrent teardown occurs. The upstream fix replaces the unsafe dereference with the hdev reference safely obtained through iso_conn_get_hdev(), which acquires the reference under proper synchronization.

Attack Vector

Exploitation requires a local attacker with the ability to open Bluetooth ISO sockets and trigger concurrent rebind and close operations on the same socket. By winning the race against the unlocked window in iso_sock_rebind_bc(), an attacker can cause the kernel to access freed memory. Outcomes range from kernel panic (denial of service) to memory corruption that may be shaped into privilege escalation through heap grooming techniques targeting the freed hci_conn slab object.

No verified public proof-of-concept code is available. Technical details are documented in the upstream commits referenced by Kernel Git Commit d324b8aa and Kernel Git Commit f50331f2.

Detection Methods for CVE-2026-53276

Indicators of Compromise

  • Kernel oops or panic messages referencing iso_sock_rebind_bc, hci_dev_lock, or the Bluetooth ISO code path
  • KASAN (Kernel Address Sanitizer) reports indicating use-after-free on hci_conn slab allocations
  • Unexpected system crashes correlated with Bluetooth audio broadcast (BIS) activity

Detection Strategies

  • Enable KASAN on test and staging kernels to surface use-after-free conditions in the Bluetooth subsystem
  • Audit dmesg and journalctl -k output for stack traces referencing iso_sock_rebind_bc or hci_conn teardown
  • Monitor kernel version inventory against the patched stable releases to identify unpatched hosts

Monitoring Recommendations

  • Track process activity that opens AF_BLUETOOTH sockets with the BTPROTO_ISO protocol on multi-user systems
  • Alert on repeated kernel crashes or BUG: warnings originating from net/bluetooth/iso.c
  • Correlate Bluetooth daemon activity with unexpected system reboots or service restarts

How to Mitigate CVE-2026-53276

Immediate Actions Required

  • Apply the upstream stable kernel patches referenced in the kernel.org commits as soon as distribution updates are available
  • Inventory Linux hosts with Bluetooth ISO support enabled and prioritize patching of multi-user and shared systems
  • Where Bluetooth functionality is not required, disable the Bluetooth stack entirely via systemctl disable --now bluetooth and blacklist the bluetooth module

Patch Information

The vulnerability is resolved by commits d324b8aa20bd3c3394e3647dc22491d88f3f4e7a and f50331f2a1441ec49988832c3a95f2edacc47322 in the upstream Linux kernel stable tree. The fix replaces the unsafe bis->hdev access with the hdev reference acquired via iso_conn_get_hdev(), eliminating the race window. Consult your Linux distribution's security advisories for backported kernel package versions.

Workarounds

  • Unload the Bluetooth ISO functionality by removing the bluetooth kernel module on systems that do not require it: rmmod bluetooth
  • Restrict access to Bluetooth sockets by limiting the bluetooth group membership and removing CAP_NET_RAW from untrusted users
  • Disable Bluetooth LE Audio broadcast features in bluetoothd configuration where supported
bash
# Configuration example: disable Bluetooth stack on systems that don't need it
sudo systemctl stop bluetooth
sudo systemctl disable bluetooth
echo "blacklist bluetooth" | sudo tee /etc/modprobe.d/blacklist-bluetooth.conf
echo "blacklist btusb" | sudo tee -a /etc/modprobe.d/blacklist-bluetooth.conf
sudo update-initramfs -u

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.