Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user_CVE-2026-23461

8.8 / 10

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user

After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in
hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to
conn->users. However, l2cap_register_user() and l2cap_unregister_user()
don't use conn->lock, creating a race condition where these functions can
access conn->users and conn->hchan concurrently with l2cap_conn_del().

This can lead to use-after-free and list corruption bugs, as reported
by syzbot.

Fix this by changing l2cap_register_user() and l2cap_unregister_user()
to use conn->lock instead of hci_dev_lock(), ensuring consistent locking
for the l2cap_conn structure.

Basic Information

ID CVE-2026-23461

Source Linux

Published Apr 3, 2026 at 15:15

Modified Apr 27, 2026 at 14:02

Affected Product

Vendor Linux

Product Linux

Version efc30877bd4bc85fefe98d80af60fafc86e5775e

Affected Versions Linux Linux efc30877bd4bc85fefe98d80af60fafc86e5775e
Linux Linux f87271d21dd4ee83857ca11b94e7b4952749bbae
Linux Linux ab4eedb790cae44313759b50fe47da285e2519d5
Linux Linux ab4eedb790cae44313759b50fe47da285e2519d5
Linux Linux ab4eedb790cae44313759b50fe47da285e2519d5
Linux Linux 18ab6b6078fa8191ca30a3065d57bf35d5635761
Linux Linux 6.14

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user\n\nAfter commit ab4eedb790ca (\"Bluetooth: L2CAP: Fix corrupted list in\nhci_chan_del\"), l2cap_conn_del() uses conn->lock to protect access to\nconn->users. However, l2cap_register_user() and l2cap_unregister_user()\ndon't use conn->lock, creating a race condition where these functions can\naccess conn->users and conn->hchan concurrently with l2cap_conn_del().\n\nThis can lead to use-after-free and list corruption bugs, as reported\nby syzbot.\n\nFix this by changing l2cap_register_user() and l2cap_unregister_user()\nto use conn->lock instead of hci_dev_lock(), ensuring consistent locking\nfor the l2cap_conn structure.",
    "published": "2026-04-03T15:15:41.051Z",
    "modified": "2026-04-27T14:02:38.897Z",
    "type": "cve",
    "title": "Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/11a87dd5df428a4b79a84d2790cac7f3c73f1f0d\nhttps://git.kernel.org/stable/c/c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf\nhttps://git.kernel.org/stable/c/da3000cbe4851458a22be38bb18c0689c39fdd5f\nhttps://git.kernel.org/stable/c/71030f3b3015a412133a805ff47970cdcf30c2b8\nhttps://git.kernel.org/stable/c/752a6c9596dd25efd6978a73ff21f3b592668f4a",
    "id": "CVE-2026-23461",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux efc30877bd4bc85fefe98d80af60fafc86e5775e\nLinux Linux f87271d21dd4ee83857ca11b94e7b4952749bbae\nLinux Linux ab4eedb790cae44313759b50fe47da285e2519d5\nLinux Linux ab4eedb790cae44313759b50fe47da285e2519d5\nLinux Linux ab4eedb790cae44313759b50fe47da285e2519d5\nLinux Linux 18ab6b6078fa8191ca30a3065d57bf35d5635761\nLinux Linux 6.14",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "efc30877bd4bc85fefe98d80af60fafc86e5775e",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply