CVE-2026-23462
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: HIDP: Fix possible UAF
This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called:
[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 [ 97.809947] Call Trace: [ 97.809954] [ 97.809961] dump_stack_lvl (lib/dump_stack.c:122) [ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) [ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798) [ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1)) [ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341) [ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2)) [ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360) [ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285) [ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5)) [ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) [ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716) [ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691) [ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678) [ 97.810404] __fput (fs/file_table.c:470) [ 97.810430] task_work_run (kernel/task_work.c:235) [ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201) [ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5)) [ 97.810527] do_exit (kernel/exit.c:972) [ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810574] ? __pfx_do_exit (kernel/exit.c:897) [ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) [ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) [ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) [ 97.810721] do_group_exit (kernel/exit.c:1093) [ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1)) [ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366) [ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810826] ? vfs_read (fs/read_write.c:555) [ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800) [ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555) [ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810960] arch_do_signal_or_restart (arch/ ---truncated---
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free (UAF) vulnerability in the Linux kernel's Bluetooth HIDP subsystem allows local attackers to trigger memory corruption and potentially escalate privileges.
Vulnerability
Overview
CVE-2026-23462 is a use-after-free (UAF) vulnerability in the Linux kernel's Bluetooth Human Interface Device Protocol (HIDP) implementation. The root cause is that the user->remove callback can be invoked without properly dropping the reference to the associated l2cap_conn structure. This leads to a situation where the l2cap_conn object is freed prematurely while still being referenced, resulting in a use-after-free condition as evidenced by the kernel crash trace [1].
Exploitation
Conditions
The vulnerability can be triggered when a Bluetooth HID device is disconnected or when the underlying HCI connection is closed, causing the l2cap_conn_del and subsequent l2cap_disconn_cfm callbacks to be invoked. An attacker with local access to the system and the ability to interact with Bluetooth interfaces (e.g., by connecting/disconnecting a malicious HID device) could exploit this flaw. No special privileges beyond local access are required, although an attacker must have the capability to manage Bluetooth connections.
Impact
Successful exploitation of this UAF bug can lead to memory corruption, potentially allowing an attacker to crash the system (denial of service) or escalate privileges to gain arbitrary code execution in kernel context. The vulnerability is rated as high severity with a CVSS v3 score of 8.8, reflecting the serious potential impact on system integrity and availability.
Mitigation
The fix has been applied in the Linux kernel and is available in stable releases. Users are advised to update their kernel to a version that includes the commit resolving the reference counting issue [2]. No workaround is known, making patching the recommended course of action. There is no indication that this vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog at the time of publication.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/18b1263ece6431bd78fa6b61faaef5281203741cnvdPatch
- git.kernel.org/stable/c/21a47a119f33df9bb157326846390d7e8e1b45banvdPatch
- git.kernel.org/stable/c/45ebe5b900200ac3e01f3470506a44a447825721nvdPatch
- git.kernel.org/stable/c/4d37fa7582aa960ba23e10a7a2596a29f37ad281nvdPatch
- git.kernel.org/stable/c/7c805b7d1e580eececcc92470292e3dbc42bc3f5nvdPatch
- git.kernel.org/stable/c/d955ccbf91ab74d76fe9e4eab2846a7d8a173075nvdPatch
- git.kernel.org/stable/c/dbf666e4fc9bdd975a61bf682b3f75cb0145eeddnvdPatch
- git.kernel.org/stable/c/f8b6ed2f06d3baa44f347a0fa2af52433f386463nvdPatch
News mentions
0No linked articles in our index yet.