A vulnerability was found in the Linux kernel's Bluetooth subsystem in the hci_disconn_phylink_complete_evt() function. Improper cleanup and reference handling can lead to a connection object, hcon, being freed and then later accessed during a subsequent function call. This issue can lead to a use-after-free scenario, leading to system instability, memory corruption, and potential code execution.

A vulnerability was found in the Linux kernel's Bluetooth subsystem in the hci_cmd_sync_queue() function. There was a missing check for whether the HCI_UNREGISTER flag had been set, meaning that commands were still sent even as the Bluetooth device was being unregistered. This issue could lead to a use-after-free scenario where the command is executed after the device structure is freed, potentially leading to a crash, arbitrary code execution, and system instability.

In the Linux kernel, the following vulnerability has been resolved: udf: Fix a slab-out-of-bounds write bug in udf_find_entry().