[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-43322":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-15T22:50:23.791Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":20,"aliases":21,"duplicate_of":9,"upstream":22,"downstream":23,"duplicates":30,"related":31,"reserved_at":9,"published_at":32,"modified_at":33,"state":34,"summary":35,"references_raw":44,"kevs":55,"epss":56,"epss_history":59,"metrics":175,"affected":183},"CVE-2026-43322","In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Fix UAF in le_read_features_complete\n\nThis fixes the following backtrace caused by hci_conn being freed\nbefore le_read_features_complete but after\nhci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue\nis not able to prevent it:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\nBUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]\nBUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]\nBUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344\nWrite of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52\n\nCPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003CTASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:194 [inline]\n kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]\n hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]\n le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344\n hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421\n kthread+0x3c5/0x780 kernel/kthread.c:463\n ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n \u003C/TASK>\n\nAllocated by task 5932:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:400 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417\n kmalloc_noprof include/linux/slab.h:957 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963\n hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084\n le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714\n hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861\n hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408\n hci_event_func net/bluetooth/hci_event.c:7716 [inline]\n hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773\n hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421\n kthread+0x3c5/0x780 kernel/kthread.c:463\n ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nFreed by task 5932:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587\n kasan_save_free_info mm/kasan/kasan.h:406 [inline]\n poison_slab_object mm/kasan/common.c:252 [inline]\n __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284\n kasan_slab_free include/linux/kasan.h:234 [inline]\n slab_free_hook mm/slub.c:2540 [inline]\n slab_free mm/slub.c:6663 [inline]\n kfree+0x2f8/0x6e0 mm/slub.c:6871\n device_release+0xa4/0x240 drivers/base/core.c:2565\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1e7/0x590 lib/kobject.\n---truncated---",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-416","Use After Free","The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory \"belongs\" to the code that operates on the new pointer.","weakness","Stable","Variant","High",[],[],[],[],[24,26,28],{"_key":25},"UBUNTU-CVE-2026-43322",{"_key":27},"RHSA-2026:23329",{"_key":29},"DEBIAN-CVE-2026-43322",[],[],"2026-05-08T13:31:07.436Z","2026-05-11T22:22:19.339Z","Analyzed",{"cisa_kev":36,"cisa_ransomware":36,"cisa_vendor":9,"epss_severity":37,"epss_score":38,"severity":39,"severity_score":40,"severity_version":41,"severity_source":42,"severity_vector":43,"severity_status":34},false,"low",0.00219,"high",8.8,"v3.1","cve.org","CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[45,51],{"url":46,"sources":47,"tags":49},"https://git.kernel.org/stable/c/260dc2be643b4a35b27008490c533613e3e53867",[42,48],"nvd",[50],"Patch",{"url":52,"sources":53,"tags":54},"https://git.kernel.org/stable/c/035c25007c9e698bef3826070ee34bb6d778020c",[42,48],[50],[],{"date":57,"score":38,"percentile":58},"2026-06-15",0.12239,[60,64,67,71,74,77,81,84,87,90,93,96,99,102,105,108,111,114,117,120,123,126,129,132,135,138,140,143,146,149,152,155,159,162,165,168,171,174],{"date":61,"score":62,"percentile":63},"2026-05-09",0.00018,0.05073,{"date":65,"score":62,"percentile":66},"2026-05-10",0.05089,{"date":68,"score":69,"percentile":70},"2026-05-11",0.00017,0.0405,{"date":72,"score":69,"percentile":73},"2026-05-12",0.04056,{"date":75,"score":69,"percentile":76},"2026-05-13",0.04076,{"date":78,"score":79,"percentile":80},"2026-05-14",0.00021,0.06044,{"date":82,"score":79,"percentile":83},"2026-05-15",0.06045,{"date":85,"score":79,"percentile":86},"2026-05-16",0.06038,{"date":88,"score":79,"percentile":89},"2026-05-17",0.06032,{"date":91,"score":79,"percentile":92},"2026-05-18",0.06,{"date":94,"score":79,"percentile":95},"2026-05-19",0.05986,{"date":97,"score":79,"percentile":98},"2026-05-20",0.05952,{"date":100,"score":79,"percentile":101},"2026-05-21",0.05944,{"date":103,"score":79,"percentile":104},"2026-05-22",0.06166,{"date":106,"score":79,"percentile":107},"2026-05-23",0.06151,{"date":109,"score":79,"percentile":110},"2026-05-24",0.0615,{"date":112,"score":79,"percentile":113},"2026-05-25",0.06132,{"date":115,"score":79,"percentile":116},"2026-05-26",0.06112,{"date":118,"score":79,"percentile":119},"2026-05-27",0.06147,{"date":121,"score":79,"percentile":122},"2026-05-28",0.06234,{"date":124,"score":79,"percentile":125},"2026-05-29",0.0624,{"date":127,"score":79,"percentile":128},"2026-05-30",0.06228,{"date":130,"score":79,"percentile":131},"2026-05-31",0.06218,{"date":133,"score":79,"percentile":134},"2026-06-01",0.06169,{"date":136,"score":79,"percentile":137},"2026-06-02",0.06086,{"date":139,"score":79,"percentile":83},"2026-06-03",{"date":141,"score":79,"percentile":142},"2026-06-04",0.06048,{"date":144,"score":79,"percentile":145},"2026-06-05",0.06075,{"date":147,"score":79,"percentile":148},"2026-06-06",0.06062,{"date":150,"score":79,"percentile":151},"2026-06-07",0.06059,{"date":153,"score":79,"percentile":154},"2026-06-08",0.06011,{"date":156,"score":157,"percentile":158},"2026-06-09",0.00023,0.06653,{"date":160,"score":157,"percentile":161},"2026-06-10",0.06682,{"date":163,"score":157,"percentile":164},"2026-06-11",0.06684,{"date":166,"score":157,"percentile":167},"2026-06-12",0.06705,{"date":169,"score":157,"percentile":170},"2026-06-13",0.06693,{"date":172,"score":157,"percentile":173},"2026-06-14",0.06676,{"date":57,"score":38,"percentile":58},[176,181],{"source":42,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":177,"cvss_v4_0":9},{"baseScore":40,"baseSeverity":178,"vectorString":43,"impactScore":179,"exploitabilityScore":180},"HIGH",9.8,7.2,{"source":48,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":182,"cvss_v4_0":9},{"baseScore":40,"baseSeverity":178,"vectorString":43,"impactScore":179,"exploitabilityScore":180},[184,201],{"ecosystem":9,"name":185,"vendor":186,"product":186,"cpe_part":187,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":188},"Linux","linux","a",[189,196,199],{"version":190,"is_range":191,"range_type":42,"version_start":192,"version_start_type":193,"version_end":194,"version_end_type":195,"fixed_in":9},">= a106e50be74b0896583f4d010a69f9806e4194f4, \u003C 260dc2be643b4a35b27008490c533613e3e53867",true,"a106e50be74b0896583f4d010a69f9806e4194f4","including","260dc2be643b4a35b27008490c533613e3e53867","excluding",{"version":197,"is_range":191,"range_type":42,"version_start":192,"version_start_type":193,"version_end":198,"version_end_type":195,"fixed_in":9},">= a106e50be74b0896583f4d010a69f9806e4194f4, \u003C 035c25007c9e698bef3826070ee34bb6d778020c","035c25007c9e698bef3826070ee34bb6d778020c",{"version":200,"is_range":36,"range_type":42,"version_start":200,"version_start_type":193,"version_end":200,"version_end_type":193,"fixed_in":9},"6.19",{"ecosystem":9,"name":202,"vendor":186,"product":203,"cpe_part":204,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":205},"linux kernel","linux_kernel","o",[206,210,212,214,216,218,220,222],{"version":207,"is_range":191,"range_type":208,"version_start":200,"version_start_type":193,"version_end":209,"version_end_type":195,"fixed_in":9},"gte6.19_lt6.19.12","cpe","6.19.12",{"version":211,"is_range":36,"range_type":208,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"7.0:rc1",{"version":213,"is_range":36,"range_type":208,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"7.0:rc2",{"version":215,"is_range":36,"range_type":208,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"7.0:rc3",{"version":217,"is_range":36,"range_type":208,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"7.0:rc4",{"version":219,"is_range":36,"range_type":208,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"7.0:rc5",{"version":221,"is_range":36,"range_type":208,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"7.0:rc6",{"version":223,"is_range":36,"range_type":208,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"7.0:rc7"]