CVE-2026-23461
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del().
This can lead to use-after-free and list corruption bugs, as reported by syzbot.
Fix this by changing l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free and list corruption vulnerability in the Linux kernel's Bluetooth L2CAP subsystem due to inconsistent locking in l2cap_register_user() and l2cap_unregister_user().
Vulnerability
Analysis
The Linux kernel's Bluetooth L2CAP subsystem suffers from a use-after-free and list corruption vulnerability in the l2cap_unregister_user function. The root cause is a locking inconsistency: after commit ab4eedb790ca introduced the use of conn->lock to protect access to conn->users in l2cap_conn_del(), the functions l2cap_register_user() and l2cap_unregister_user() were not updated to use the same lock. Instead, they continued using hci_dev_lock(), leading to a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del() [1].
Exploitation
Prerequisites
An attacker needs to be able to trigger Bluetooth L2CAP connection events and user registration/unregistration operations. This requires local access to the system and the ability to interact with the Bluetooth stack, potentially through crafted Bluetooth packets or by manipulating user-space applications that use L2CAP sockets. The race window is narrow, making exploitation non-trivial but possible, as demonstrated by syzbot reports [2].
Impact
Successful exploitation can lead to use-after-free conditions where an attacker can corrupt kernel memory, potentially leading to a denial of service (system crash) or arbitrary code execution with kernel privileges. The list corruption also destabilizes the Bluetooth subsystem [3].
Mitigation
The fix changes l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure. The patch has been applied to the stable kernel trees as of April 2026 [4]. Users should update their kernels to include commit 71030f3b3015 or its backports.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/11a87dd5df428a4b79a84d2790cac7f3c73f1f0dnvdPatch
- git.kernel.org/stable/c/71030f3b3015a412133a805ff47970cdcf30c2b8nvdPatch
- git.kernel.org/stable/c/752a6c9596dd25efd6978a73ff21f3b592668f4anvdPatch
- git.kernel.org/stable/c/c22a5e659959eb77c2fbb58a5adfaf3c3dab7abfnvdPatch
- git.kernel.org/stable/c/da3000cbe4851458a22be38bb18c0689c39fdd5fnvdPatch
News mentions
0No linked articles in our index yet.