Reported by Linux · Published April 3, 2026
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del(). This can lead to use-after-free and list corruption bugs, as reported by syzbot. Fix this by changing l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure.
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | efc30877bd4bc85fefe98d80af60fafc86e5775e, f87271d21dd4ee83857ca11b94e7b4952749bbae, ab4eedb790cae44313759b50fe47da285e2519d5 |
| Linux | Linux | 6.14, 0, 6.6.130 |
| linux | linux_kernel | 6.6.84, 6.14, 6.14 |
| Linux | Linux | 7.0-rc5, 6.6.130, 6.12.78 |