Bug 2499748 (CVE-2026-53364)

Summary: CVE-2026-53364 kernel: Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's Bluetooth Host Controller Interface (HCI) connection handling. The `hci_le_big_terminate()` function, which is responsible for terminating Bluetooth connections, allocates memory but fails to free it under specific conditions when certain flags are not set. This memory leak could lead to resource exhaustion, potentially resulting in a denial of service (DoS).
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-07-13 18:02:16 UTC
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()

hci_le_big_terminate() allocates iso_list_data via kzalloc_obj but
returns 0 without freeing it when neither pa_sync_term nor big_sync_term
flags are set after evaluating the PA and BIG sync connection state.

This early-return path was introduced when hci_le_big_terminate() was
refactored to take struct hci_conn instead of raw u8 parameters, adding
PA/BIG flag evaluation logic. The existing kfree() on hci_cmd_sync_queue
failure does not cover this path.

Comment 1 Mauro Matteo Cascella 2026-07-14 11:10:23 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026071352-CVE-2026-53364-de64@gregkh/T