CVE-2023-53762

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-53762
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53762.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-53762
Downstream
Related
Published
2025-12-08T01:19:23.927Z
Modified
2026-03-20T12:33:20.163995Z
Summary
Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hcisync: Fix UAF in hcidisconnectallsync

Use-after-free can occur in hcidisconnectall_sync if a connection is deleted by concurrent processing of a controller event.

To prevent this the code now tries to iterate over the list backwards to ensure the links are cleanup before its parents, also it no longer relies on a cursor, instead it always uses the last element since hciabortconnsync is guaranteed to call hciconn_del.

UAF crash log:

BUG: KASAN: slab-use-after-free in hcisetpoweredsync (net/bluetooth/hcisync.c:5424) [bluetooth] Read of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124

CPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W 6.5.0-rc1+ #10 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: hci0 hcicmdsyncwork [bluetooth] Call Trace: <TASK> dumpstacklvl+0x5b/0x90 printreport+0xcf/0x670 ? __virtaddrvalid+0xdd/0x160 ? hci_setpoweredsync+0x2c9/0x4a0 [bluetooth] kasanreport+0xa6/0xe0 ? hcisetpoweredsync+0x2c9/0x4a0 [bluetooth] ? __pfxsetpoweredsync+0x10/0x10 [bluetooth] hcisetpoweredsync+0x2c9/0x4a0 [bluetooth] ? __pfxhcisetpoweredsync+0x10/0x10 [bluetooth] ? __pfxlockrelease+0x10/0x10 ? __pfxsetpoweredsync+0x10/0x10 [bluetooth] hcicmdsyncwork+0x137/0x220 [bluetooth] processonework+0x526/0x9d0 ? __pfxprocessone_work+0x10/0x10 ? __pfxdoraw_spinlock+0x10/0x10 ? markheldlocks+0x1a/0x90 workerthread+0x92/0x630 ? __pfxworkerthread+0x10/0x10 kthread+0x196/0x1e0 ? _pfxkthread+0x10/0x10 retfromfork+0x2c/0x50 </TASK>

Allocated by task 1782: kasansavestack+0x33/0x60 kasansettrack+0x25/0x30 __kasankmalloc+0x8f/0xa0 hciconn_add+0xa5/0xa80 [bluetooth] hcibindcis+0x881/0x9b0 [bluetooth] isoconnectcis+0x121/0x520 [bluetooth] isosockconnect+0x3f6/0x790 [bluetooth] __sys_connect+0x109/0x130 __x64sysconnect+0x40/0x50 dosyscall64+0x60/0x90 entrySYSCALL64afterhwframe+0x6e/0xd8

Freed by task 695: kasansavestack+0x33/0x60 kasansettrack+0x25/0x30 kasansavefree_info+0x2b/0x50 __kasanslabfree+0x10a/0x180 __kmemcachefree+0x14d/0x2e0 devicerelease+0x5d/0xf0 kobjectput+0xdf/0x270 hcidisconncompleteevt+0x274/0x3a0 [bluetooth] hcieventpacket+0x579/0x7e0 [bluetooth] hcirxwork+0x287/0xaa0 [bluetooth] processonework+0x526/0x9d0 workerthread+0x92/0x630 kthread+0x196/0x1e0

retfromfork+0x2c/0x50

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53762.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
182ee45da083db4e3e621541ccf255bfa9652214
Fixed
a30c074f0b5b7f909a15c978fbc96a29e2f94e42
Fixed
ba3ba53ce1f76fc372b8f918fece4f9b1e41acd4
Fixed
94d9ba9f9888b748d4abd2aa1547af56ae85f772

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53762.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
6.4.16
Type
ECOSYSTEM
Events
Introduced
6.5.0
Fixed
6.5.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53762.json"