VDB

CVE-2026-23461

CVE-2026-23461 PUBLISHED

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del(). This can lead to use-after-free and list corruption bugs, as reported by syzbot. Fix this by changing l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure.

EPSS 0.02% · 6.6th percentile

Risk Scores

EPSS Score
0.02%
6.6th percentile

Affected Products

VendorProductVersions
linuxlinux_kernel6.6.84, 6.14, 6.14
LinuxLinuxf87271d21dd4ee83857ca11b94e7b4952749bbae, ab4eedb790cae44313759b50fe47da285e2519d5, ab4eedb790cae44313759b50fe47da285e2519d5

Timeline

  • Apr 3, 2026 CVE Published
  • Apr 27, 2026 CVE Updated
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score
  • May 26, 2026 EPSS Score
  • May 27, 2026 EPSS Score

References

…and 74 more

Open in Interactive Console →
$ Console Community · 100/wk Open console ›