FKIE_CVE-2026-43023

Vulnerability from fkie_nvd - Published: 2026-05-01 15:16 - Updated: 2026-05-03 07:16
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: fix race conditions in sco_sock_connect() sco_sock_connect() checks sk_state and sk_type without holding the socket lock. Two concurrent connect() syscalls on the same socket can both pass the check and enter sco_connect(), leading to use-after-free. The buggy scenario involves three participants and was confirmed with additional logging instrumentation: Thread A (connect): HCI disconnect: Thread B (connect): sco_sock_connect(sk) sco_sock_connect(sk) sk_state==BT_OPEN sk_state==BT_OPEN (pass, no lock) (pass, no lock) sco_connect(sk): sco_connect(sk): hci_dev_lock hci_dev_lock hci_connect_sco <- blocked -> hcon1 sco_conn_add->conn1 lock_sock(sk) sco_chan_add: conn1->sk = sk sk->conn = conn1 sk_state=BT_CONNECT release_sock hci_dev_unlock hci_dev_lock sco_conn_del: lock_sock(sk) sco_chan_del: sk->conn=NULL conn1->sk=NULL sk_state= BT_CLOSED SOCK_ZAPPED release_sock hci_dev_unlock (unblocked) hci_connect_sco -> hcon2 sco_conn_add -> conn2 lock_sock(sk) sco_chan_add: sk->conn=conn2 sk_state= BT_CONNECT // zombie sk! release_sock hci_dev_unlock Thread B revives a BT_CLOSED + SOCK_ZAPPED socket back to BT_CONNECT. Subsequent cleanup triggers double sock_put() and use-after-free. Meanwhile conn1 is leaked as it was orphaned when sco_conn_del() cleared the association. Fix this by: - Moving lock_sock() before the sk_state/sk_type checks in sco_sock_connect() to serialize concurrent connect attempts - Fixing the sk_type != SOCK_SEQPACKET check to actually return the error instead of just assigning it - Adding a state re-check in sco_connect() after lock_sock() to catch state changes during the window between the locks - Adding sco_pi(sk)->conn check in sco_chan_add() to prevent double-attach of a socket to multiple connections - Adding hci_conn_drop() on sco_chan_add failure to prevent HCI connection leaks
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7e296ffdab5bdab718dff7c14288fdcb9154fa27
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8a5b0135d4a5d9683203a3d9a12a711ccec5936b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d002bd11024bd231bcb606877e33951ffb7bed14
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dabf22269242e2f2bf44c43fcdc2fa763df7f9cc
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: fix race conditions in sco_sock_connect()\n\nsco_sock_connect() checks sk_state and sk_type without holding\nthe socket lock. Two concurrent connect() syscalls on the same\nsocket can both pass the check and enter sco_connect(), leading\nto use-after-free.\n\nThe buggy scenario involves three participants and was confirmed\nwith additional logging instrumentation:\n\n  Thread A (connect):    HCI disconnect:      Thread B (connect):\n\n  sco_sock_connect(sk)                        sco_sock_connect(sk)\n  sk_state==BT_OPEN                           sk_state==BT_OPEN\n  (pass, no lock)                             (pass, no lock)\n  sco_connect(sk):                            sco_connect(sk):\n    hci_dev_lock                                hci_dev_lock\n    hci_connect_sco                               \u003c- blocked\n      -\u003e hcon1\n    sco_conn_add-\u003econn1\n    lock_sock(sk)\n    sco_chan_add:\n      conn1-\u003esk = sk\n      sk-\u003econn = conn1\n    sk_state=BT_CONNECT\n    release_sock\n    hci_dev_unlock\n                           hci_dev_lock\n                           sco_conn_del:\n                             lock_sock(sk)\n                             sco_chan_del:\n                               sk-\u003econn=NULL\n                               conn1-\u003esk=NULL\n                               sk_state=\n                                 BT_CLOSED\n                               SOCK_ZAPPED\n                             release_sock\n                           hci_dev_unlock\n                                                  (unblocked)\n                                                  hci_connect_sco\n                                                    -\u003e hcon2\n                                                  sco_conn_add\n                                                    -\u003e conn2\n                                                  lock_sock(sk)\n                                                  sco_chan_add:\n                                                    sk-\u003econn=conn2\n                                                  sk_state=\n                                                    BT_CONNECT\n                                                  // zombie sk!\n                                                  release_sock\n                                                  hci_dev_unlock\n\nThread B revives a BT_CLOSED + SOCK_ZAPPED socket back to\nBT_CONNECT. Subsequent cleanup triggers double sock_put() and\nuse-after-free. Meanwhile conn1 is leaked as it was orphaned\nwhen sco_conn_del() cleared the association.\n\nFix this by:\n- Moving lock_sock() before the sk_state/sk_type checks in\n  sco_sock_connect() to serialize concurrent connect attempts\n- Fixing the sk_type != SOCK_SEQPACKET check to actually\n  return the error instead of just assigning it\n- Adding a state re-check in sco_connect() after lock_sock()\n  to catch state changes during the window between the locks\n- Adding sco_pi(sk)-\u003econn check in sco_chan_add() to prevent\n  double-attach of a socket to multiple connections\n- Adding hci_conn_drop() on sco_chan_add failure to prevent\n  HCI connection leaks"
    }
  ],
  "id": "CVE-2026-43023",
  "lastModified": "2026-05-03T07:16:22.327",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-01T15:16:46.610",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7e296ffdab5bdab718dff7c14288fdcb9154fa27"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8a5b0135d4a5d9683203a3d9a12a711ccec5936b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d002bd11024bd231bcb606877e33951ffb7bed14"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/dabf22269242e2f2bf44c43fcdc2fa763df7f9cc"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.