CVE-2023-53374

18.09.2025, 14:15

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_conn: fail SCO/ISO via hci_conn_failed if ACL gone early

Not calling hci_(dis)connect_cfm before deleting conn referred to by a
socket generally results to use-after-free.

When cleaning up SCO connections when the parent ACL is deleted too
early, use hci_conn_failed to do the connection cleanup properly.

We also need to clean up ISO connections in a similar situation when
connecting has started but LE Create CIS is not yet sent, so do it too
here.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Linux	CNA	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Vendor	Product	Version
linux	linux_kernel	6.3.8 ≤ 𝑥 < 6.4
linux	linux_kernel	6.4.1 ≤ 𝑥 < 6.4.16
linux	linux_kernel	6.5 ≤ 𝑥 < 6.5.3
linux	linux_kernel	6.4
linux	linux_kernel	6.4:rc4
linux	linux_kernel	6.4:rc5
linux	linux_kernel	6.4:rc6
linux	linux_kernel	6.4:rc7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
bookworm	6.1.148-1 not-affected
bullseye (security)	5.10.237-1 fixed
bookworm (security)	6.1.147-1 fixed
trixie	6.12.43-1 fixed
trixie (security)	6.12.41-1 fixed
forky	6.16.7-1 fixed
sid	6.16.7-1 fixed

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://git.kernel.org/stable/c/3344d318337d9dca928fd448e966557ec5063f85

https://git.kernel.org/stable/c/397d58007532644b35fad746da48c41161f32a57

https://git.kernel.org/stable/c/e94b898463a62b72a2a8b75dea8936bf4db78e00