PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46056 Linux CVE debrief

A use-after-free (UAF) vulnerability exists in the Linux kernel's Bluetooth subsystem, specifically within the Simple Secure Pairing (SSP) passkey event handlers. The flaw affects `hci_user_passkey_notify_evt()` and `hci_keypress_notify_evt()` functions in `net/bluetooth/hci_event.c`. Without proper synchronization, the `hci_conn` connection object can be freed by a concurrent thread while these handlers are still accessing it, leading to memory corruption and potential privilege escalation or system instability. The vulnerability stems from insufficient locking coverage: the `hci_dev_lock` was not held during all phases of connection lookup and field access. The fix extends the critical section to encompass all `conn` usage in both handlers, ensuring thread-safe access to connection state during SSP passkey negotiations.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators, embedded/IoT device manufacturers using Bluetooth connectivity, kernel maintainers, security teams managing Bluetooth-enabled endpoints, and organizations with bring-your-own-device policies where Bluetooth pairing occurs

Technical summary

The vulnerability is a race condition in Bluetooth Host Controller Interface (HCI) event handling. During Simple Secure Pairing (SSP) passkey notification and keypress notification events, the kernel performs `hci_conn` lookups and accesses connection fields without holding the `hci_dev_lock` for the entire operation window. This creates a race window where a concurrent operation (e.g., connection teardown, timeout, or error handling) can free the connection object, resulting in use-after-free when the original handler continues execution. The fix consolidates locking to ensure `hci_dev_lock` is held across all connection access paths, with careful handling of early exit paths to preserve existing keypress notification semantics.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates containing the referenced stable tree commits once available for your distribution
  • Verify Bluetooth kernel module (bluetooth, btusb, hci_uart) versions match patched releases
  • Monitor system logs for Bluetooth-related crashes or warnings that may indicate exploitation attempts
  • Consider disabling Bluetooth or restricting pairing to trusted devices on critical systems until patching is complete
  • Review kernel crash dumps for use-after-free signatures in hci_event.c if instability is observed

Evidence notes

The vulnerability description explicitly identifies the affected functions (`hci_user_passkey_notify_evt` and `hci_keypress_notify_evt`) and the root cause (missing `hdev` lock coverage during `hci_conn` operations). Five kernel.org stable tree commits are provided as references, indicating backports to multiple kernel versions. The fix pattern—extending `hci_dev_lock` critical sections—is a standard defensive synchronization approach for HCI connection lifecycle management.

Official resources

2026-05-27