CVE-2026-53072

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: fix locking in hci conn request evt() with HCI PROTO DEFER

When protocol sets HCI PROTO DEFER, hci conn request evt() calls hci connect cfm(conn) without hdev->lock. Generally hci connect cfm() assumes it is held, and if conn is deleted concurrently -> UAF.

Only SCO and ISO set HCI PROTO DEFER and only for defer setup listen, and HCI EV CONN REQUEST is not generated for ISO. In the non-deferred listening socket code paths, hci connect cfm(conn) is called with hdev->lock held.

Fix by holding the lock.