CVE-2026-43023
Published: 01 May 2026
Summary
CVE-2026-43023 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of flaws, directly requiring patching of the Linux kernel race condition in CVE-2026-43023 to eliminate the use-after-free vulnerability.
Implements memory protection safeguards like stack canaries, address randomization, and use-after-free detection that mitigate exploitation of the socket structure use-after-free triggered by concurrent connects.
Restricts the system to least functionality by disabling unnecessary Bluetooth SCO features, preventing execution of the vulnerable sco_sock_connect() code path.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF race condition in Bluetooth SCO enables arbitrary code execution and privilege escalation via crafted syscalls.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: fix race conditions in sco_sock_connect() sco_sock_connect() checks sk_state and sk_type without holding the socket lock. Two concurrent connect() syscalls on the same socket can both pass the check…
more
and enter sco_connect(), leading to use-after-free. The buggy scenario involves three participants and was confirmed with additional logging instrumentation: Thread A (connect): HCI disconnect: Thread B (connect): sco_sock_connect(sk) sco_sock_connect(sk) sk_state==BT_OPEN sk_state==BT_OPEN (pass, no lock) (pass, no lock) sco_connect(sk): sco_connect(sk): hci_dev_lock hci_dev_lock hci_connect_sco <- blocked -> hcon1 sco_conn_add->conn1 lock_sock(sk) sco_chan_add: conn1->sk = sk sk->conn = conn1 sk_state=BT_CONNECT release_sock hci_dev_unlock hci_dev_lock sco_conn_del: lock_sock(sk) sco_chan_del: sk->conn=NULL conn1->sk=NULL sk_state= BT_CLOSED SOCK_ZAPPED release_sock hci_dev_unlock (unblocked) hci_connect_sco -> hcon2 sco_conn_add -> conn2 lock_sock(sk) sco_chan_add: sk->conn=conn2 sk_state= BT_CONNECT // zombie sk! release_sock hci_dev_unlock Thread B revives a BT_CLOSED + SOCK_ZAPPED socket back to BT_CONNECT. Subsequent cleanup triggers double sock_put() and use-after-free. Meanwhile conn1 is leaked as it was orphaned when sco_conn_del() cleared the association. Fix this by: - Moving lock_sock() before the sk_state/sk_type checks in sco_sock_connect() to serialize concurrent connect attempts - Fixing the sk_type != SOCK_SEQPACKET check to actually return the error instead of just assigning it - Adding a state re-check in sco_connect() after lock_sock() to catch state changes during the window between the locks - Adding sco_pi(sk)->conn check in sco_chan_add() to prevent double-attach of a socket to multiple connections - Adding hci_conn_drop() on sco_chan_add failure to prevent HCI connection leaks
Deeper analysisAI
CVE-2026-43023 is a race condition vulnerability in the Linux kernel's Bluetooth Synchronous Connection-Oriented (SCO) implementation, specifically within the sco_sock_connect() function. This flaw occurs because the function checks the socket's sk_state and sk_type without holding the socket lock, allowing two concurrent connect() syscalls on the same socket to both pass the checks and proceed into sco_connect(). This leads to a use-after-free condition, exacerbated by an intervening HCI disconnect event that orphans a connection and revives a closed socket, resulting in double sock_put() calls and potential connection leaks.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N) by orchestrating concurrent connect() syscalls on a Bluetooth SCO socket alongside precise timing of an HCI disconnect. Successful exploitation triggers a use-after-free on the socket structure, enabling high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H) as scored by CVSS 3.1 at 7.8. This could allow arbitrary code execution, denial of service, or data corruption in the kernel context.
Mitigation requires applying upstream patches from Linux kernel stable repositories, as detailed in the referenced commits (e.g., 7e296ffdab5bdab718dff7c14288fdcb9154fa27 and others). These fixes serialize concurrent connects by moving lock_sock() before state/type checks, add state re-checks after locking, prevent double-attachment of sockets to connections via sco_pi(sk)->conn validation in sco_chan_add(), correct error handling for sk_type checks, and invoke hci_conn_drop() on sco_chan_add failures to avoid HCI connection leaks. Security practitioners should update affected kernel versions promptly and audit Bluetooth SCO usage in local applications.
Details
- CWE(s)