CVE-2026-43023

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: fix race conditions in sco_sock_connect() sco_sock_connect() checks sk_state and sk_type without holding the socket lock. Two concurrent connect() syscalls on the same socket can both pass the check and enter sco_connect(), leading to use-after-free. The buggy scenario involves three participants and was confirmed with additional logging instrumentation: Thread A (connect): HCI disconnect: Thread B (connect): sco_sock_connect(sk) sco_sock_connect(sk) sk_state==BT_OPEN sk_state==BT_OPEN (pass, no lock) (pass, no lock) sco_connect(sk): sco_connect(sk): hci_dev_lock hci_dev_lock hci_connect_sco <- blocked -> hcon1 sco_conn_add->conn1 lock_sock(sk) sco_chan_add: conn1->sk = sk sk->conn = conn1 sk_state=BT_CONNECT release_sock hci_dev_unlock hci_dev_lock sco_conn_del: lock_sock(sk) sco_chan_del: sk->conn=NULL conn1->sk=NULL sk_state= BT_CLOSED SOCK_ZAPPED release_sock hci_dev_unlock (unblocked) hci_connect_sco -> hcon2 sco_conn_add -> conn2 lock_sock(sk) sco_chan_add: sk->conn=conn2 sk_state= BT_CONNECT // zombie sk! release_sock hci_dev_unlock Thread B revives a BT_CLOSED + SOCK_ZAPPED socket back to BT_CONNECT. Subsequent cleanup triggers double sock_put() and use-after-free. Meanwhile conn1 is leaked as it was orphaned when sco_conn_del() cleared the association. Fix this by: - Moving lock_sock() before the sk_state/sk_type checks in sco_sock_connect() to serialize concurrent connect attempts - Fixing the sk_type != SOCK_SEQPACKET check to actually return the error instead of just assigning it - Adding a state re-check in sco_connect() after lock_sock() to catch state changes during the window between the locks - Adding sco_pi(sk)->conn check in sco_chan_add() to prevent double-attach of a socket to multiple connections - Adding hci_conn_drop() on sco_chan_add failure to prevent HCI connection leaks

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel (修复提交前的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <sys/socket.h>
#include <unistd.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/sco.h>

// Target Bluetooth Address (Needs to be adjusted based on environment)
// bdaddr_t target = {{0x00, 0x11, 0x22, 0x33, 0x44, 0x55}};

void *thread_connect(void *arg) {
    int sock = *(int *)arg;
    struct sockaddr_sco addr;
    // memset(&addr, 0, sizeof(addr));
    // addr.sco_family = AF_BLUETOOTH;
    // bacpy(&addr.sco_bdaddr, &target);

    // Loop to increase race window probability
    for(int i = 0; i < 100; i++) {
        // connect(sock, (struct sockaddr *)&addr, sizeof(addr));
        // In a real PoC, specific HCI interactions might be needed to trigger the disconnect timing
        usleep(100); 
    }
    return NULL;
}

int main() {
    int sock = socket(AF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_SCO);
    if (sock < 0) {
        perror("socket");
        return 1;
    }

    pthread_t t1, t2;

    // Create two threads to race on the same socket
    pthread_create(&t1, NULL, thread_connect, &sock);
    pthread_create(&t2, NULL, thread_connect, &sock);

    pthread_join(t1, NULL);
    pthread_join(t2, NULL);

    close(sock);
    printf("Race condition attempt finished.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43023
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43023
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43023/
[4] VulDB https://vuldb.com/cve/CVE-2026-43023
[5] https://git.kernel.org/stable/c/7e296ffdab5bdab718dff7c14288fdcb9154fa27
[6] https://git.kernel.org/stable/c/8a5b0135d4a5d9683203a3d9a12a711ccec5936b
[7] https://git.kernel.org/stable/c/98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d
[8] https://git.kernel.org/stable/c/adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0
[9] https://git.kernel.org/stable/c/d002bd11024bd231bcb606877e33951ffb7bed14
[10] https://git.kernel.org/stable/c/dabf22269242e2f2bf44c43fcdc2fa763df7f9cc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43023", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:46.610", "lastModified": "2026-05-08T14:56:44.180", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: fix race conditions in sco_sock_connect()\n\nsco_sock_connect() checks sk_state and sk_type without holding\nthe socket lock. Two concurrent connect() syscalls on the same\nsocket can both pass the check and enter sco_connect(), leading\nto use-after-free.\n\nThe buggy scenario involves three participants and was confirmed\nwith additional logging instrumentation:\n\n Thread A (connect): HCI disconnect: Thread B (connect):\n\n sco_sock_connect(sk) sco_sock_connect(sk)\n sk_state==BT_OPEN sk_state==BT_OPEN\n (pass, no lock) (pass, no lock)\n sco_connect(sk): sco_connect(sk):\n hci_dev_lock hci_dev_lock\n hci_connect_sco <- blocked\n -> hcon1\n sco_conn_add->conn1\n lock_sock(sk)\n sco_chan_add:\n conn1->sk = sk\n sk->conn = conn1\n sk_state=BT_CONNECT\n release_sock\n hci_dev_unlock\n hci_dev_lock\n sco_conn_del:\n lock_sock(sk)\n sco_chan_del:\n sk->conn=NULL\n conn1->sk=NULL\n sk_state=\n BT_CLOSED\n SOCK_ZAPPED\n release_sock\n hci_dev_unlock\n (unblocked)\n hci_connect_sco\n -> hcon2\n sco_conn_add\n -> conn2\n lock_sock(sk)\n sco_chan_add:\n sk->conn=conn2\n sk_state=\n BT_CONNECT\n // zombie sk!\n release_sock\n hci_dev_unlock\n\nThread B revives a BT_CLOSED + SOCK_ZAPPED socket back to\nBT_CONNECT. Subsequent cleanup triggers double sock_put() and\nuse-after-free. Meanwhile conn1 is leaked as it was orphaned\nwhen sco_conn_del() cleared the association.\n\nFix this by:\n- Moving lock_sock() before the sk_state/sk_type checks in\n sco_sock_connect() to serialize concurrent connect attempts\n- Fixing the sk_type != SOCK_SEQPACKET check to actually\n return the error instead of just assigning it\n- Adding a state re-check in sco_connect() after lock_sock()\n to catch state changes during the window between the locks\n- Adding sco_pi(sk)->conn check in sco_chan_add() to prevent\n double-attach of a socket to multiple connections\n- Adding hci_conn_drop() on sco_chan_add failure to prevent\n HCI connection leaks"}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.109", "versionEndExcluding": "6.1.168", "matchCriteriaId": "A4F30D66-D58E-49A0-B69A-36EEB7033DDE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3.1", "versionEndExcluding": "6.6.134", "matchCriteriaId": "8DCEDE49-945B-4AC9-8166-D0841A4A8257"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.81", "matchCriteriaId": "6EF80433-B33B-43C5-8E64-0FA7B8DCE1BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.22", "matchCriteriaId": "C9DF8BCE-36D3-475D-9D ... (truncated)