CVE-2026-43023

EUVD-2026-26622

01.05.2026, 15:16

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SCO: fix race conditions in sco_sock_connect()

sco_sock_connect() checks sk_state and sk_type without holding
the socket lock. Two concurrent connect() syscalls on the same
socket can both pass the check and enter sco_connect(), leading
to use-after-free.

The buggy scenario involves three participants and was confirmed
with additional logging instrumentation:

  Thread A (connect):    HCI disconnect:      Thread B (connect):

  sco_sock_connect(sk)                        sco_sock_connect(sk)
  sk_state==BT_OPEN                           sk_state==BT_OPEN
  (pass, no lock)                             (pass, no lock)
  sco_connect(sk):                            sco_connect(sk):
    hci_dev_lock                                hci_dev_lock
    hci_connect_sco                               <- blocked
      -> hcon1
    sco_conn_add->conn1
    lock_sock(sk)
    sco_chan_add:
      conn1->sk = sk
      sk->conn = conn1
    sk_state=BT_CONNECT
    release_sock
    hci_dev_unlock
                           hci_dev_lock
                           sco_conn_del:
                             lock_sock(sk)
                             sco_chan_del:
                               sk->conn=NULL
                               conn1->sk=NULL
                               sk_state=
                                 BT_CLOSED
                               SOCK_ZAPPED
                             release_sock
                           hci_dev_unlock
                                                  (unblocked)
                                                  hci_connect_sco
                                                    -> hcon2
                                                  sco_conn_add
                                                    -> conn2
                                                  lock_sock(sk)
                                                  sco_chan_add:
                                                    sk->conn=conn2
                                                  sk_state=
                                                    BT_CONNECT
                                                  // zombie sk!
                                                  release_sock
                                                  hci_dev_unlock

Thread B revives a BT_CLOSED + SOCK_ZAPPED socket back to
BT_CONNECT. Subsequent cleanup triggers double sock_put() and
use-after-free. Meanwhile conn1 is leaked as it was orphaned
when sco_conn_del() cleared the association.

Fix this by:
- Moving lock_sock() before the sk_state/sk_type checks in
  sco_sock_connect() to serialize concurrent connect attempts
- Fixing the sk_type != SOCK_SEQPACKET check to actually
  return the error instead of just assigning it
- Adding a state re-check in sco_connect() after lock_sock()
  to catch state changes during the window between the locks
- Adding sco_pi(sk)->conn check in sco_chan_add() to prevent
  double-attach of a socket to multiple connections
- Adding hci_conn_drop() on sco_chan_add failure to prevent
  HCI connection leaks

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	6.1.109 ≤ 𝑥 < 6.1.168
linux	linux_kernel	6.3.1 ≤ 𝑥 < 6.6.134
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.81
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.22
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.12
linux	linux_kernel	6.3
linux	linux_kernel	6.3:rc7
linux	linux_kernel	7.0:rc1
linux	linux_kernel	7.0:rc2
linux	linux_kernel	7.0:rc3
linux	linux_kernel	7.0:rc4
linux	linux_kernel	7.0:rc5
linux	linux_kernel	7.0:rc6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.257-1 fixed
forky	7.0.10-1 fixed
sid	7.0.12-2 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.90-2 fixed

linux-6.1

bullseye (security)

6.1.174-1~deb11u1

fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

kernel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug-devel-matched

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-devel-matched

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-abi-stablelists

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-devel-matched

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-uki-virt

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-devel-matched

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-doc

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-debug

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-debug-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-debug-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-debug-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-debug-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-debug-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-debug

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-debug-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-debug-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-debug-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-debug-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-debug-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-tools

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-tools-libs

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-tools-libs-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-uki-virt

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-uki-virt-addons

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump-devel-matched

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

libperf

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

perf

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

python3-perf

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

rtla

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein entfernter Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um Sicherheitsmechanismen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen oder Auswirkungen unbestimmter Art zu erzielen.
Published: 2026-05-03T22:00:00+00:00

References

https://git.kernel.org/stable/c/7e296ffdab5bdab718dff7c14288fdcb9154fa27

https://git.kernel.org/stable/c/8a5b0135d4a5d9683203a3d9a12a711ccec5936b

https://git.kernel.org/stable/c/98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d

https://git.kernel.org/stable/c/adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0

https://git.kernel.org/stable/c/d002bd11024bd231bcb606877e33951ffb7bed14

https://git.kernel.org/stable/c/dabf22269242e2f2bf44c43fcdc2fa763df7f9cc