CVE-2026-43023

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: SCO: fix race conditions in sco_sock_connect()<br /> <br /> sco_sock_connect() checks sk_state and sk_type without holding<br /> the socket lock. Two concurrent connect() syscalls on the same<br /> socket can both pass the check and enter sco_connect(), leading<br /> to use-after-free.<br /> <br /> The buggy scenario involves three participants and was confirmed<br /> with additional logging instrumentation:<br /> <br /> Thread A (connect): HCI disconnect: Thread B (connect):<br /> <br /> sco_sock_connect(sk) sco_sock_connect(sk)<br /> sk_state==BT_OPEN sk_state==BT_OPEN<br /> (pass, no lock) (pass, no lock)<br /> sco_connect(sk): sco_connect(sk):<br /> hci_dev_lock hci_dev_lock<br /> hci_connect_sco hcon1<br /> sco_conn_add-&gt;conn1<br /> lock_sock(sk)<br /> sco_chan_add:<br /> conn1-&gt;sk = sk<br /> sk-&gt;conn = conn1<br /> sk_state=BT_CONNECT<br /> release_sock<br /> hci_dev_unlock<br /> hci_dev_lock<br /> sco_conn_del:<br /> lock_sock(sk)<br /> sco_chan_del:<br /> sk-&gt;conn=NULL<br /> conn1-&gt;sk=NULL<br /> sk_state=<br /> BT_CLOSED<br /> SOCK_ZAPPED<br /> release_sock<br /> hci_dev_unlock<br /> (unblocked)<br /> hci_connect_sco<br /> -&gt; hcon2<br /> sco_conn_add<br /> -&gt; conn2<br /> lock_sock(sk)<br /> sco_chan_add:<br /> sk-&gt;conn=conn2<br /> sk_state=<br /> BT_CONNECT<br /> // zombie sk!<br /> release_sock<br /> hci_dev_unlock<br /> <br /> Thread B revives a BT_CLOSED + SOCK_ZAPPED socket back to<br /> BT_CONNECT. Subsequent cleanup triggers double sock_put() and<br /> use-after-free. Meanwhile conn1 is leaked as it was orphaned<br /> when sco_conn_del() cleared the association.<br /> <br /> Fix this by:<br /> - Moving lock_sock() before the sk_state/sk_type checks in<br /> sco_sock_connect() to serialize concurrent connect attempts<br /> - Fixing the sk_type != SOCK_SEQPACKET check to actually<br /> return the error instead of just assigning it<br /> - Adding a state re-check in sco_connect() after lock_sock()<br /> to catch state changes during the window between the locks<br /> - Adding sco_pi(sk)-&gt;conn check in sco_chan_add() to prevent<br /> double-attach of a socket to multiple connections<br /> - Adding hci_conn_drop() on sco_chan_add failure to prevent<br /> HCI connection leaks