cve 2024 26903

CVE-2024-26903 is a Linux kernel vulnerability in the Bluetooth RFCOMM subsystem that can be exploited to cause a denial-of-service condition. The flaw is a null-pointer dereference in the rfcomm_check_security path, triggered when an out-of-order HCI response arrives during connection teardown. This leads to a kernel panic, crashing the host system. The vulnerability affects the RFCOMM serial-port emulation layer over Bluetooth's L2CAP transport, commonly used by legacy serial-over-Bluetooth applications and embedded stacks. A targeted patch has been released to fix the race condition and prevent the null-pointer dereference. Users are advised to apply the update to mitigate the risk of system crashes.