PatchSiren cyber security CVE debrief
CVE-2026-46111 Linux CVE debrief
A use-after-free (UAF) vulnerability in the Linux kernel's Bluetooth subsystem could allow local attackers to trigger memory corruption during BIG (Broadcast Isochronous Group) creation. The flaw exists in create_big_sync() and create_big_complete() where stale hci_conn connection objects may be dereferenced after being freed. The fix adds hci_conn_valid() validation checks, reference counting via hci_conn_get()/hci_conn_put() to keep connection objects alive across async boundaries, and proper locking with hci_dev_lock() to prevent race conditions during connection teardown.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-30
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-30
Who should care
Linux system administrators, kernel maintainers, embedded/IoT device manufacturers using Bluetooth, security teams managing Bluetooth-enabled infrastructure, and organizations with physical security concerns where attackers may have Bluetooth proximity access.
Technical summary
The vulnerability is a use-after-free in the Linux kernel's Bluetooth host controller interface (HCI) connection management code, specifically in the Broadcast Isochronous Group (BIG) creation path. The create_big_sync() function could operate on stale hci_conn objects that had been freed, and create_big_complete() would unconditionally dereference the conn pointer on error paths. The fix implements: (1) hci_conn_valid() checks to detect stale connections before BIG creation, (2) reference counting with hci_conn_get() when queueing work and hci_conn_put() in completion callbacks to keep objects alive across async boundaries, (3) re-validation under hci_dev_lock() before dereferencing, matching patterns in create_le_conn_complete() and create_pa_complete(). The refcount and lock are complementary: refcount prevents deallocation while hci_dev_lock() serializes list operations on hdev->conn_hash.
Defensive priority
high
Recommended defensive actions
- Apply kernel updates from your Linux distribution that include the fix for CVE-2026-46111
- Verify running kernel version is not vulnerable by checking for commits 0beddb0c380b, 1750a2df0eab, 6823f730bf19, dc34f8d8240f, or f8eaf92c57ad in stable branches
- If immediate patching is not possible, consider disabling Bluetooth or restricting Bluetooth access to trusted users
- Monitor system logs for Bluetooth-related crashes or errors that may indicate exploitation attempts
- Review Bluetooth device access controls and limit physical proximity of untrusted Bluetooth devices
Evidence notes
The vulnerability description and fix details are sourced from the official CVE record and NVD entry. The kernel commit references confirm the patch implements reference counting and validation checks in net/bluetooth/hci_conn.c.
Official resources
-
CVE-2026-46111 CVE record
CVE.org
-
CVE-2026-46111 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
The vulnerability was disclosed via the Linux kernel stable tree on 2026-05-28. The fix has been backported to multiple stable kernel branches.