VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 16, 2025· Updated Apr 15, 2026

CVE-2025-68304

CVE-2025-68304

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_core: lookup hci_conn on RX path on protocol side

The hdev lock/lookup/unlock/use pattern in the packet RX path doesn't ensure hci_conn* is not concurrently modified/deleted. This locking appears to be leftover from before conn_hash started using RCU commit bf4c63252490b ("Bluetooth: convert conn hash to RCU") and not clear if it had purpose since then.

Currently, there are code paths that delete hci_conn* from elsewhere than the ordered hdev->workqueue where the RX work runs in. E.g. commit 5af1f84ed13a ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync") introduced some of these, and there probably were a few others before it. It's better to do the locking so that even if these run concurrently no UAF is possible.

Move the lookup of hci_conn and associated socket-specific conn to protocol recv handlers, and do them within a single critical section to cover hci_conn* usage and lookup.

syzkaller has reported a crash that appears to be this issue:

[Task hdev->workqueue] [Task 2] hci_disconnect_all_sync l2cap_recv_acldata(hcon) hci_conn_get(hcon) hci_abort_conn_sync(hcon) hci_dev_lock hci_dev_lock hci_conn_del(hcon) v-------------------------------- hci_dev_unlock hci_conn_put(hcon) conn = hcon->l2cap_data (UAF)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free (UAF) vulnerability in the Linux kernel Bluetooth subsystem arises from an RCU-protected conn_hash lookup not being properly synchronized with concurrent deletion, enabling an attacker to trigger memory corruption.

Vulnerability

Description

The hci_conn lookup performed by the Bluetooth core's RX path (hci_core) did not adequately synchronize with concurrent deletion operations. Although the conn hash was converted to RCU in commit bf4c63252490, the legacy hdev lock/unlock pattern in the packet RX code did not account for the fact that hci_conn could be deleted from other contexts—such as hci_disconnect_all_sync invoked via hci_abort_conn_sync—without being serialized by the same workqueue [1]. This creates a race condition where a reference to a hci_conn structure remains in use after it has been freed, leading to a use-after-free (UAF) [1].

Exploitation

Scenario

An attacker on the same Bluetooth piconet or with the ability to inject crafted Bluetooth packets can trigger the vulnerable code path. No authentication is required beyond basic Bluetooth connectivity. The race window is deterministic: on the RX workqueue, l2cap_recv_acldata dereferences hcon->l2cap_data while a concurrent call to hci_disconnect_all_sync (running from another thread) can delete the same hci_conn after calling hci_conn_del [1]. The syzkaller reproduction clearly demonstrates the overlapping sequence:

[Task hdev->workqueue]            [Task 2]
                                   hci_disconnect_all_sync
l2cap_recv_acldata(hcon)
                                     hci_conn_get(hcon)
                                     hci_abort_conn_sync(hcon)
                                       hci_dev_lock
  hci_dev_lock
                                       hci_conn_del(hcon)
  v----------------------------------- hci_dev_unlock
                                     hci_conn_put(hcon)
  conn = hcon->l2cap_data (UAF)

[1]

Impact

Successful exploitation of this UAF can cause a kernel crash (denial of service). In more sophisticated cases, an attacker might leverage the freed memory to execute arbitrary code in the kernel context, leading to full system compromise. The vulnerability has been confirmed via syzkaller, which reported a crash consistent with the described race [1].

Mitigation

Status

The fix moves the lookup of hci_conn and associated socket-specific data into the protocol recv handlers, performing the entire lookup and use within a single critical section under RCU protection [1]. This ensures that the hci_conn pointer cannot be invalidated while it is being dereferenced. The commit (79a2d4678ba90bdba577dc3af88cc900d6dcd5ee) has been merged into the Linux kernel stable tree. Users should apply the latest kernel updates to mitigate this vulnerability.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.