{"id":"CVE-2026-43023","summary":"Bluetooth: SCO: fix race conditions in sco_sock_connect()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: fix race conditions in sco_sock_connect()\n\nsco_sock_connect() checks sk_state and sk_type without holding\nthe socket lock. Two concurrent connect() syscalls on the same\nsocket can both pass the check and enter sco_connect(), leading\nto use-after-free.\n\nThe buggy scenario involves three participants and was confirmed\nwith additional logging instrumentation:\n\n Thread A (connect): HCI disconnect: Thread B (connect):\n\n sco_sock_connect(sk) sco_sock_connect(sk)\n sk_state==BT_OPEN sk_state==BT_OPEN\n (pass, no lock) (pass, no lock)\n sco_connect(sk): sco_connect(sk):\n hci_dev_lock hci_dev_lock\n hci_connect_sco \u003c- blocked\n -\u003e hcon1\n sco_conn_add-\u003econn1\n lock_sock(sk)\n sco_chan_add:\n conn1-\u003esk = sk\n sk-\u003econn = conn1\n sk_state=BT_CONNECT\n release_sock\n hci_dev_unlock\n hci_dev_lock\n sco_conn_del:\n lock_sock(sk)\n sco_chan_del:\n sk-\u003econn=NULL\n conn1-\u003esk=NULL\n sk_state=\n BT_CLOSED\n SOCK_ZAPPED\n release_sock\n hci_dev_unlock\n (unblocked)\n hci_connect_sco\n -\u003e hcon2\n sco_conn_add\n -\u003e conn2\n lock_sock(sk)\n sco_chan_add:\n sk-\u003econn=conn2\n sk_state=\n BT_CONNECT\n // zombie sk!\n release_sock\n hci_dev_unlock\n\nThread B revives a BT_CLOSED + SOCK_ZAPPED socket back to\nBT_CONNECT. Subsequent cleanup triggers double sock_put() and\nuse-after-free. Meanwhile conn1 is leaked as it was orphaned\nwhen sco_conn_del() cleared the association.\n\nFix this by:\n- Moving lock_sock() before the sk_state/sk_type checks in\n sco_sock_connect() to serialize concurrent connect attempts\n- Fixing the sk_type != SOCK_SEQPACKET check to actually\n return the error instead of just assigning it\n- Adding a state re-check in sco_connect() after lock_sock()\n to catch state changes during the window between the locks\n- Adding sco_pi(sk)-\u003econn check in sco_chan_add() to prevent\n double-attach of a socket to multiple connections\n- Adding hci_conn_drop() on sco_chan_add failure to prevent\n HCI connection leaks","modified":"2026-05-18T06:00:11.936624779Z","published":"2026-05-01T14:15:25.736Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43023.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/7e296ffdab5bdab718dff7c14288fdcb9154fa27"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8a5b0135d4a5d9683203a3d9a12a711ccec5936b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d002bd11024bd231bcb606877e33951ffb7bed14"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dabf22269242e2f2bf44c43fcdc2fa763df7f9cc"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43023.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43023"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"70a13b1e25fef37c87c8a1228ddb8900efbca7cf"},{"fixed":"dabf22269242e2f2bf44c43fcdc2fa763df7f9cc"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3"},{"fixed":"adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0"},{"fixed":"7e296ffdab5bdab718dff7c14288fdcb9154fa27"},{"fixed":"98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d"},{"fixed":"d002bd11024bd231bcb606877e33951ffb7bed14"},{"fixed":"8a5b0135d4a5d9683203a3d9a12a711ccec5936b"}]}],"versions":["v6.1.167","v6.1.166","v6.1.165","v6.1.164","v6.1.163","v6.1.162","v6.1.161","v6.1.160","v6.1.159","v6.1.158","v6.1.157","v6.1.156","v6.1.155","v6.1.154","v6.1.153","v6.1.152","v6.1.151","v6.1.150","v6.1.149","v6.1.148","v6.1.147","v6.1.146","v6.1.145","v6.1.144","v6.1.143","v6.1.142","v6.1.141","v6.1.140","v6.1.139","v6.1.138","v6.1.137","v6.1.136","v6.1.135","v6.1.134","v6.1.133","v6.1.132","v6.1.131","v6.1.130","v6.1.129","v6.1.128","v6.1.127","v6.1.126","v6.1.125","v6.1.124","v6.1.123","v6.1.122","v6.1.121","v6.1.120","v6.1.119","v6.1.118","v6.1.117","v6.1.116","v6.1.115","v6.1.114","v6.1.113","v6.1.112","v6.1.111","v6.1.110","v6.1.109"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43023.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.168"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.134"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.3.0"},{"fixed":"6.12.81"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.18.22"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.19.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43023.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}