{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "70a13b1e25fef37c87c8a1228ddb8900efbca7cf"
            },
            {
              "fixed": "dabf22269242e2f2bf44c43fcdc2fa763df7f9cc"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3"
            },
            {
              "fixed": "adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0"
            },
            {
              "fixed": "7e296ffdab5bdab718dff7c14288fdcb9154fa27"
            },
            {
              "fixed": "98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d"
            },
            {
              "fixed": "d002bd11024bd231bcb606877e33951ffb7bed14"
            },
            {
              "fixed": "8a5b0135d4a5d9683203a3d9a12a711ccec5936b"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "6.1.109"
            },
            {
              "fixed": "6.1.168"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.168"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.134"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.3.0"
            },
            {
              "fixed": "6.12.81"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.18.22"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.19.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43023.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: fix race conditions in sco_sock_connect()\n\nsco_sock_connect() checks sk_state and sk_type without holding\nthe socket lock. Two concurrent connect() syscalls on the same\nsocket can both pass the check and enter sco_connect(), leading\nto use-after-free.\n\nThe buggy scenario involves three participants and was confirmed\nwith additional logging instrumentation:\n\n  Thread A (connect):    HCI disconnect:      Thread B (connect):\n\n  sco_sock_connect(sk)                        sco_sock_connect(sk)\n  sk_state==BT_OPEN                           sk_state==BT_OPEN\n  (pass, no lock)                             (pass, no lock)\n  sco_connect(sk):                            sco_connect(sk):\n    hci_dev_lock                                hci_dev_lock\n    hci_connect_sco                               \u003c- blocked\n      -\u003e hcon1\n    sco_conn_add-\u003econn1\n    lock_sock(sk)\n    sco_chan_add:\n      conn1-\u003esk = sk\n      sk-\u003econn = conn1\n    sk_state=BT_CONNECT\n    release_sock\n    hci_dev_unlock\n                           hci_dev_lock\n                           sco_conn_del:\n                             lock_sock(sk)\n                             sco_chan_del:\n                               sk-\u003econn=NULL\n                               conn1-\u003esk=NULL\n                               sk_state=\n                                 BT_CLOSED\n                               SOCK_ZAPPED\n                             release_sock\n                           hci_dev_unlock\n                                                  (unblocked)\n                                                  hci_connect_sco\n                                                    -\u003e hcon2\n                                                  sco_conn_add\n                                                    -\u003e conn2\n                                                  lock_sock(sk)\n                                                  sco_chan_add:\n                                                    sk-\u003econn=conn2\n                                                  sk_state=\n                                                    BT_CONNECT\n                                                  // zombie sk!\n                                                  release_sock\n                                                  hci_dev_unlock\n\nThread B revives a BT_CLOSED + SOCK_ZAPPED socket back to\nBT_CONNECT. Subsequent cleanup triggers double sock_put() and\nuse-after-free. Meanwhile conn1 is leaked as it was orphaned\nwhen sco_conn_del() cleared the association.\n\nFix this by:\n- Moving lock_sock() before the sk_state/sk_type checks in\n  sco_sock_connect() to serialize concurrent connect attempts\n- Fixing the sk_type != SOCK_SEQPACKET check to actually\n  return the error instead of just assigning it\n- Adding a state re-check in sco_connect() after lock_sock()\n  to catch state changes during the window between the locks\n- Adding sco_pi(sk)-\u003econn check in sco_chan_add() to prevent\n  double-attach of a socket to multiple connections\n- Adding hci_conn_drop() on sco_chan_add failure to prevent\n  HCI connection leaks",
  "id": "CVE-2026-43023",
  "modified": "2026-07-08T05:37:34.426434053Z",
  "published": "2026-05-01T14:15:25.736Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e296ffdab5bdab718dff7c14288fdcb9154fa27"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8a5b0135d4a5d9683203a3d9a12a711ccec5936b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d002bd11024bd231bcb606877e33951ffb7bed14"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dabf22269242e2f2bf44c43fcdc2fa763df7f9cc"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43023.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43023"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Bluetooth: SCO: fix race conditions in sco_sock_connect()"
}