CVE-2026-43023
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: fix race conditions in sco_sock_connect()
sco_sock_connect() checks sk_state and sk_type without holding the socket lock. Two concurrent connect() syscalls on the same socket can both pass the check and enter sco_connect(), leading to use-after-free.
The buggy scenario involves three participants and was confirmed with additional logging instrumentation:
Thread A (connect): HCI disconnect: Thread B (connect):
sco_sock_connect(sk) sco_sock_connect(sk) sk_state==BT_OPEN sk_state==BT_OPEN (pass, no lock) (pass, no lock) sco_connect(sk): sco_connect(sk): hci_dev_lock hci_dev_lock hci_connect_sco <- blocked -> hcon1 sco_conn_add->conn1 lock_sock(sk) sco_chan_add: conn1->sk = sk sk->conn = conn1 sk_state=BT_CONNECT release_sock hci_dev_unlock hci_dev_lock sco_conn_del: lock_sock(sk) sco_chan_del: sk->conn=NULL conn1->sk=NULL sk_state= BT_CLOSED SOCK_ZAPPED release_sock hci_dev_unlock (unblocked) hci_connect_sco -> hcon2 sco_conn_add -> conn2 lock_sock(sk) sco_chan_add: sk->conn=conn2 sk_state= BT_CONNECT // zombie sk! release_sock hci_dev_unlock
Thread B revives a BT_CLOSED + SOCK_ZAPPED socket back to BT_CONNECT. Subsequent cleanup triggers double sock_put() and use-after-free. Meanwhile conn1 is leaked as it was orphaned when sco_conn_del() cleared the association.
Fix this by: - Moving lock_sock() before the sk_state/sk_type checks in sco_sock_connect() to serialize concurrent connect attempts - Fixing the sk_type != SOCK_SEQPACKET check to actually return the error instead of just assigning it - Adding a state re-check in sco_connect() after lock_sock() to catch state changes during the window between the locks - Adding sco_pi(sk)->conn check in sco_chan_add() to prevent double-attach of a socket to multiple connections - Adding hci_conn_drop() on sco_chan_add failure to prevent HCI connection leaks
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
84cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.1.109,<6.1.168
- cpe:2.3:o:linux:linux_kernel:6.3:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.3:rc7:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- osv-coords75 versionspkg:rpm/almalinux/kernelpkg:rpm/almalinux/kernel-64kpkg:rpm/almalinux/kernel-64k-corepkg:rpm/almalinux/kernel-64k-debugpkg:rpm/almalinux/kernel-64k-debug-corepkg:rpm/almalinux/kernel-64k-debug-develpkg:rpm/almalinux/kernel-64k-debug-devel-matchedpkg:rpm/almalinux/kernel-64k-debug-modulespkg:rpm/almalinux/kernel-64k-debug-modules-corepkg:rpm/almalinux/kernel-64k-debug-modules-extrapkg:rpm/almalinux/kernel-64k-develpkg:rpm/almalinux/kernel-64k-devel-matchedpkg:rpm/almalinux/kernel-64k-modulespkg:rpm/almalinux/kernel-64k-modules-corepkg:rpm/almalinux/kernel-64k-modules-extrapkg:rpm/almalinux/kernel-abi-stablelistspkg:rpm/almalinux/kernel-corepkg:rpm/almalinux/kernel-cross-headerspkg:rpm/almalinux/kernel-debugpkg:rpm/almalinux/kernel-debug-corepkg:rpm/almalinux/kernel-debug-develpkg:rpm/almalinux/kernel-debug-devel-matchedpkg:rpm/almalinux/kernel-debug-modulespkg:rpm/almalinux/kernel-debug-modules-corepkg:rpm/almalinux/kernel-debug-modules-extrapkg:rpm/almalinux/kernel-debug-uki-virtpkg:rpm/almalinux/kernel-develpkg:rpm/almalinux/kernel-devel-matchedpkg:rpm/almalinux/kernel-docpkg:rpm/almalinux/kernel-headerspkg:rpm/almalinux/kernel-modulespkg:rpm/almalinux/kernel-modules-corepkg:rpm/almalinux/kernel-modules-extrapkg:rpm/almalinux/kernel-modules-extra-matchedpkg:rpm/almalinux/kernel-rtpkg:rpm/almalinux/kernel-rt-64kpkg:rpm/almalinux/kernel-rt-64k-corepkg:rpm/almalinux/kernel-rt-64k-debugpkg:rpm/almalinux/kernel-rt-64k-debug-corepkg:rpm/almalinux/kernel-rt-64k-debug-develpkg:rpm/almalinux/kernel-rt-64k-debug-modulespkg:rpm/almalinux/kernel-rt-64k-debug-modules-corepkg:rpm/almalinux/kernel-rt-64k-debug-modules-extrapkg:rpm/almalinux/kernel-rt-64k-develpkg:rpm/almalinux/kernel-rt-64k-modulespkg:rpm/almalinux/kernel-rt-64k-modules-corepkg:rpm/almalinux/kernel-rt-64k-modules-extrapkg:rpm/almalinux/kernel-rt-corepkg:rpm/almalinux/kernel-rt-debugpkg:rpm/almalinux/kernel-rt-debug-corepkg:rpm/almalinux/kernel-rt-debug-develpkg:rpm/almalinux/kernel-rt-debug-modulespkg:rpm/almalinux/kernel-rt-debug-modules-corepkg:rpm/almalinux/kernel-rt-debug-modules-extrapkg:rpm/almalinux/kernel-rt-develpkg:rpm/almalinux/kernel-rt-modulespkg:rpm/almalinux/kernel-rt-modules-corepkg:rpm/almalinux/kernel-rt-modules-extrapkg:rpm/almalinux/kernel-toolspkg:rpm/almalinux/kernel-tools-libspkg:rpm/almalinux/kernel-tools-libs-develpkg:rpm/almalinux/kernel-uki-virtpkg:rpm/almalinux/kernel-uki-virt-addonspkg:rpm/almalinux/kernel-zfcpdumppkg:rpm/almalinux/kernel-zfcpdump-corepkg:rpm/almalinux/kernel-zfcpdump-develpkg:rpm/almalinux/kernel-zfcpdump-devel-matchedpkg:rpm/almalinux/kernel-zfcpdump-modulespkg:rpm/almalinux/kernel-zfcpdump-modules-corepkg:rpm/almalinux/kernel-zfcpdump-modules-extrapkg:rpm/almalinux/libperfpkg:rpm/almalinux/perfpkg:rpm/almalinux/python3-perfpkg:rpm/almalinux/rtlapkg:rpm/almalinux/rv
< 5.14.0-687.12.1.el9_8+ 74 more
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 6.12.0-211.18.1.el10_2
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
- (no CPE)range: < 5.14.0-687.12.1.el9_8
Patches
Vulnerability mechanics
References
6- git.kernel.org/stable/c/7e296ffdab5bdab718dff7c14288fdcb9154fa27nvdPatch
- git.kernel.org/stable/c/8a5b0135d4a5d9683203a3d9a12a711ccec5936bnvdPatch
- git.kernel.org/stable/c/98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8dnvdPatch
- git.kernel.org/stable/c/adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0nvdPatch
- git.kernel.org/stable/c/d002bd11024bd231bcb606877e33951ffb7bed14nvdPatch
- git.kernel.org/stable/c/dabf22269242e2f2bf44c43fcdc2fa763df7f9ccnvdPatch
News mentions
0No linked articles in our index yet.