CVE-2026-43322 Git CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems that have Bluetooth enabled should treat this as high priority. Fleets with exposed or routinely used Bluetooth functionality have the most direct exposure.

Technical summary

The issue is described as a race where hci_conn can be freed after hci_le_read_remote_features_sync returns but before le_read_features_complete runs. Because of that timing, hci_conn_del and hci_cmd_sync_dequeue do not reliably prevent the callback from touching freed memory. The supplied KASAN trace shows a slab-use-after-free in hci_conn_drop reached from le_read_features_complete, and the allocation/free paths point to hci_conn allocation in __hci_conn_add and release via device_release/kobject_cleanup.

Defensive priority

High. Prioritize kernel updates on any system using Bluetooth, especially production hosts and fleet images that can receive nearby Bluetooth traffic.

Recommended defensive actions

• Apply the vendor or stable kernel updates that include the fix referenced by the kernel.org stable commits.
• Update all Linux distributions and custom kernels that include the affected Bluetooth hci_sync code.
• Reboot systems after patching so the running kernel is replaced by the fixed version.
• Track distro and kernel security advisories for backported fixes if you do not build kernels from upstream sources.

Evidence notes

The CVE description includes a KASAN report showing slab-use-after-free in le_read_features_complete, with the call trace reaching hci_conn_drop. The record also states the flaw occurs after hci_le_read_remote_features_sync and before le_read_features_complete, and it provides two kernel.org stable reference URLs that appear to correspond to the fixes/backports. NVD metadata lists CVSS 3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Official resources