CVE-2026-53256 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/1f73f92f66251065a5f39b09a47cf05ea14d3107
https://git.kernel.org/stable/c/43c441edacf953b39517a44f5e5e10a93618b226
https://git.kernel.org/stable/c/6f4462d12133106460d7c046b95aad2491e3fddf
https://git.kernel.org/stable/c/8802413ce63175fb522a2bd609fb043a3550c720
https://git.kernel.org/stable/c/a07d741c077d4e34b16458241a94d29039386553
https://git.kernel.org/stable/c/b0e33e409715c617e2a20f46f99aa5403a14dfda
https://git.kernel.org/stable/c/de31973ef00e5aa55496f84cf6a44bb157a34e02
https://git.kernel.org/stable/c/f5ec76bdbeb80f75ad0be204371afffee0f8fac8

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() rfcomm_get_sock_by_channel() scans rfcomm_sk_list under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcomm_connect_ind() then locks the listener, queues a child socket on it, and may notify it after unlocking it. The buggy scenario involves two paths, with each column showing the order within that path: rfcomm_connect_ind(): listener close: 1. Find parent in 1. close() enters rfcomm_get_sock_by_channel() rfcomm_sock_release(). 2. Drop rfcomm_sk_list.lock 2. rfcomm_sock_shutdown() without pinning parent. closes the listener. 3. Call lock_sock(parent) and 3. rfcomm_sock_kill() bt_accept_enqueue(parent, unlinks and puts parent. sk, true). 4. Read parent flags and may 4. parent can be freed. call sk_state_change(). If close wins the race, parent can be freed before rfcomm_connect_ind() reaches lock_sock(), bt_accept_enqueue(), or the deferred-setup callback. Take a reference on the listener before leaving rfcomm_sk_list.lock. After lock_sock() succeeds, recheck that it is still in BT_LISTEN before queueing a child, cache the deferred-setup bit while the parent is locked, and drop the reference after the last parent use. KASAN reported a slab-use-after-free in lock_sock_nested() from rfcomm_connect_ind(), with the freeing stack going through rfcomm_sock_kill() and rfcomm_sock_release().
Title		Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1f73f92f66251065a5f39b09a47cf05ea14d3107 https://git.kernel.org/stable/c/43c441edacf953b39517a44f5e5e10a93618b226 https://git.kernel.org/stable/c/6f4462d12133106460d7c046b95aad2491e3fddf https://git.kernel.org/stable/c/8802413ce63175fb522a2bd609fb043a3550c720 https://git.kernel.org/stable/c/a07d741c077d4e34b16458241a94d29039386553 https://git.kernel.org/stable/c/b0e33e409715c617e2a20f46f99aa5403a14dfda https://git.kernel.org/stable/c/de31973ef00e5aa55496f84cf6a44bb157a34e02 https://git.kernel.org/stable/c/f5ec76bdbeb80f75ad0be204371afffee0f8fac8

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-53256", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-06-09T07:44:35.394Z", "datePublished": "2026-06-25T08:39:46.591Z", "dateUpdated": "2026-06-25T08:39:46.591Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-25T08:39:46.591Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()\n\nrfcomm_get_sock_by_channel() scans rfcomm_sk_list under the list lock,\nbut returns the selected listener after dropping that lock without\ntaking a reference. rfcomm_connect_ind() then locks the listener,\nqueues a child socket on it, and may notify it after unlocking it.\n\nThe buggy scenario involves two paths, with each column showing the\norder within that path:\n\nrfcomm_connect_ind(): listener close:\n 1. Find parent in 1. close() enters\n rfcomm_get_sock_by_channel() rfcomm_sock_release().\n 2. Drop rfcomm_sk_list.lock 2. rfcomm_sock_shutdown()\n without pinning parent. closes the listener.\n 3. Call lock_sock(parent) and 3. rfcomm_sock_kill()\n bt_accept_enqueue(parent, unlinks and puts parent.\n sk, true).\n 4. Read parent flags and may 4. parent can be freed.\n call sk_state_change().\n\nIf close wins the race, parent can be freed before\nrfcomm_connect_ind() reaches lock_sock(), bt_accept_enqueue(), or the\ndeferred-setup callback.\n\nTake a reference on the listener before leaving rfcomm_sk_list.lock.\nAfter lock_sock() succeeds, recheck that it is still in BT_LISTEN\nbefore queueing a child, cache the deferred-setup bit while the parent\nis locked, and drop the reference after the last parent use.\n\nKASAN reported a slab-use-after-free in lock_sock_nested() from\nrfcomm_connect_ind(), with the freeing stack going through\nrfcomm_sock_kill() and rfcomm_sock_release()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/rfcomm/sock.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "f5ec76bdbeb80f75ad0be204371afffee0f8fac8", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "a07d741c077d4e34b16458241a94d29039386553", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "1f73f92f66251065a5f39b09a47cf05ea14d3107", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "de31973ef00e5aa55496f84cf6a44bb157a34e02", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "b0e33e409715c617e2a20f46f99aa5403a14dfda", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "8802413ce63175fb522a2bd609fb043a3550c720", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6f4462d12133106460d7c046b95aad2491e3fddf", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "43c441edacf953b39517a44f5e5e10a93618b226", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/rfcomm/sock.c"], "versions": [{"version": "2.6.12", "status": "affected"}, {"version": "0", "lessThan": "2.6.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.259", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.210", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.176", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.143", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.94", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.36", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.13", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "5.10.259"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "5.15.210"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.1.176"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.6.143"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.12.94"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.18.36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "7.0.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "7.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f5ec76bdbeb80f75ad0be204371afffee0f8fac8"}, {"url": "https://git.kernel.org/stable/c/a07d741c077d4e34b16458241a94d29039386553"}, {"url": "https://git.kernel.org/stable/c/1f73f92f66251065a5f39b09a47cf05ea14d3107"}, {"url": "https://git.kernel.org/stable/c/de31973ef00e5aa55496f84cf6a44bb157a34e02"}, {"url": "https://git.kernel.org/stable/c/b0e33e409715c617e2a20f46f99aa5403a14dfda"}, {"url": "https://git.kernel.org/stable/c/8802413ce63175fb522a2bd609fb043a3550c720"}, {"url": "https://git.kernel.org/stable/c/6f4462d12133106460d7c046b95aad2491e3fddf"}, {"url": "https://git.kernel.org/stable/c/43c441edacf953b39517a44f5e5e10a93618b226"}], "title": "Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()", "x_generator": {"engine": "bippy-1.2.0"}}}}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object