HIGHCVE-2026-23461Published Modified CNA Linux
CVE-2026-23461: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del(). This can lead to use-after-free and list corruption bugs, as reported by syzbot. Fix this by changing l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
011a87dd5df428a4b79a84d2790cac7f3c73f1f0d6.6.1306.12.786.146.18.206.19.107.071030f3b3015a412133a805ff47970cdcf30c2b8752a6c9596dd25efd6978a73ff21f3b592668f4ac22a5e659959eb77c2fbb58a5adfaf3c3dab7abfda3000cbe4851458a22be38bb18c0689c39fdd5f
Affected packages
- Linux / Linux< 11a87dd5df428a4b79a84d2790cac7f3c73f1f0d (from efc30877bd4bc85fefe98d80af60fafc86e5775e) · < c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf (from f87271d21dd4ee83857ca11b94e7b4952749bbae) · < da3000cbe4851458a22be38bb18c0689c39fdd5f (from ab4eedb790cae44313759b50fe47da285e2519d5) · < 71030f3b3015a412133a805ff47970cdcf30c2b8 (from ab4eedb790cae44313759b50fe47da285e2519d5) · < 752a6c9596dd25efd6978a73ff21f3b592668f4a (from ab4eedb790cae44313759b50fe47da285e2519d5) · 18ab6b6078fa8191ca30a3065d57bf35d5635761
- Linux / Linux6.14Fixed in 0, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H