CVE-2026-53252

MEDIUM

Bluetooth: fix memory leak in error path of hci_alloc_dev()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix memory leak in error path of hci_alloc_dev() Early failures in Bluetooth HCI UART configuration leak SRCU percpu memory. When device initialization fails before hci_register_dev() completes, the HCI_UNREGISTER flag is never set. As a result, when the device reference count reaches zero, bt_host_release() evaluates this flag as false and falls back to a direct kfree(hdev). Because hci_release_dev() is bypassed, the SRCU struct initialized early in hci_alloc_dev() is never cleaned up, resulting in a leak of percpu memory. Fix the leak by explicitly calling cleanup_srcu_struct() in the fallback (unregistered) branch of bt_host_release() before freeing the device.

Scores

CVSS v3 5.5
EPSS 0.0014
EPSS Percentile 3.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-401
Status published
Products (34)
linux/Kernel < 5.15.210linux
linux/Kernel 5.16.0 - 6.1.176linux
linux/Kernel 6.13.0 - 6.18.36linux
linux/Kernel 6.16.0 - 7.0.13linux
linux/Kernel 6.2.0 - 6.6.143linux
linux/Kernel 6.7.0 - 6.12.94linux
Linux/Linux < 6.16
Linux/Linux 0e5c144c557df910ab64d9c25d06399a9a735e65
Linux/Linux 1d6123102e9fbedc8d25bf4731da6d513173e49e - 37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f
Linux/Linux 1d6123102e9fbedc8d25bf4731da6d513173e49e - ce4b4cac3c5749b6aa75e62e2991ae2263f2f889
... and 24 more
Published Jun 25, 2026
Tracked Since Jun 25, 2026