CVE-2026-46111

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci conn: fix potential UAF in create big sync

Add hci conn valid() check in create big sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create big complete() and re-validate the connection under hci dev lock() before dereferencing, matching the pattern used by create le conn complete() and create pa complete().

Keep the hci conn object alive across the async boundary by taking a reference via hci conn get() when queueing create big sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci dev lock() serializes hci conn hash del()'s list del rcu() on hdev->conn hash, as required by hci conn del().

hci conn put() is called outside hci dev unlock() so the final put (which resolves to kfree() via bt link release) does not run under hdev->lock, though the release path would be safe either way.

Without this, create big complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci connect cfm() and hci conn del().