Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2026-46056

Опубликовано: 27 мая 2026
Источник: nvd
CVSS3: 8.8
EPSS Низкий

Описание

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: fix potential UAF in SSP passkey handlers

hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently.

Extend the hci_dev_lock critical section to cover all conn usage in both handlers.

Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Версия от 3.7 (включая) до 6.1.175 (исключая)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Версия от 6.2 (включая) до 6.6.140 (исключая)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Версия от 6.7 (включая) до 6.12.86 (исключая)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Версия от 6.13 (включая) до 6.18.27 (исключая)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Версия от 6.19 (включая) до 7.0.4 (исключая)

EPSS

Процентиль: 17%
0.00262
Низкий

8.8 High

CVSS3

Дефекты

CWE-416

Связанные уязвимости

ubuntu логотип

CVE-2026-46056

CVSS3: 8.8
ubuntu
29 дней назад

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage in both handlers. Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path.

redhat логотип

CVE-2026-46056

CVSS3: 7.1
redhat
30 дней назад

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage in both handlers. Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path.

msrc логотип

CVE-2026-46056

CVSS3: 7.1
msrc
29 дней назад

Bluetooth: hci_event: fix potential UAF in SSP passkey handlers

debian логотип

CVE-2026-46056

CVSS3: 8.8
debian
29 дней назад

In the Linux kernel, the following vulnerability has been resolved: B ...

github логотип

GHSA-v6c2-56h6-9pgq

CVSS3: 8.8
github
29 дней назад

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage in both handlers. Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path.

EPSS

Процентиль: 17%
0.00262
Низкий

8.8 High

CVSS3

Дефекты

CWE-416