VYPR
High severity8.8NVD Advisory· Published Apr 3, 2026· Updated May 20, 2026

CVE-2026-23461

CVE-2026-23461

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user

After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del().

This can lead to use-after-free and list corruption bugs, as reported by syzbot.

Fix this by changing l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

12
  • Linux/Kernel12 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 11 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.6.84,<6.6.130
    • cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.14:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.14:rc7:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • (no CPE)

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.