CVE-2026-45834
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bluetooth L2CAP missing NULL guard in state change callback leads to null-ptr-deref crash.
Vulnerability
The Linux kernel's Bluetooth L2CAP subsystem has a null-pointer dereference bug in l2cap_sock_state_change_cb(). This callback lacks a NULL guard for the chan pointer, unlike the similar functions l2cap_sock_resume_cb() and l2cap_sock_ready_cb() which already have such protection. The vulnerability affects kernel versions prior to the fix commit [1].
Exploitation
An attacker needs to trigger a state change on an L2CAP socket that has a NULL channel pointer. This can occur, for example, when a socket is closed or otherwise manipulated in a way that clears the chan field without the callback being properly guarded. The attack requires no special privileges beyond the ability to interact with Bluetooth sockets (e.g., via a local user or a Bluetooth-enabled device). The sequence of steps involves causing the socket state to transition (e.g., to disconnected) while the chan pointer is NULL, leading to the callback attempting to dereference it.
Impact
A null-ptr-deref triggers a kernel crash (denial of service). This can cause system instability or downtime. The scope is local to the kernel; no data disclosure or remote code execution is implied.
Mitigation
The fix is committed in kernel stable tree as c88c185ae0a1067823661b220aeea613df2c127b [1]. It adds the same NULL guard already present in the other two callbacks. Users should update to a kernel version containing this commit. No workaround is available without patching.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
101810e42ff671Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 9de1e3ca939437..d1017d7f5ca78f 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1643,6 +1643,9 @@ static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, { struct sock *sk = chan->data; + if (!sk) + return; + sk->sk_state = state; if (err) -- cgit 1.3-korg
2ff1a41a912dBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 71e8c1b45bcee1..fb3cb70a5a39d0 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1657,6 +1657,9 @@ static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, { struct sock *sk = chan->data; + if (!sk) + return; + sk->sk_state = state; if (err) -- cgit 1.3-korg
a2dcf1a61d05Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 8994e9c5d179ae..1cf70eaeb1ee77 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1660,6 +1660,9 @@ static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, { struct sock *sk = chan->data; + if (!sk) + return; + sk->sk_state = state; if (err) -- cgit 1.3-korg
c88c185ae0a1Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 88b4625a45b3e4..7e0da1bdffdaa4 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1630,6 +1630,9 @@ static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, { struct sock *sk = chan->data; + if (!sk) + return; + sk->sk_state = state; if (err) -- cgit 1.3-korg
5105f3e6b2dfBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index a91391a3a9d30a..a9816313407539 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1627,6 +1627,9 @@ static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, { struct sock *sk = chan->data; + if (!sk) + return; + sk->sk_state = state; if (err) -- cgit 1.3-korg
5105f3e6b2dfBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index a91391a3a9d30a..a9816313407539 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1627,6 +1627,9 @@ static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, { struct sock *sk = chan->data; + if (!sk) + return; + sk->sk_state = state; if (err) -- cgit 1.3-korg
2ff1a41a912dBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 71e8c1b45bcee1..fb3cb70a5a39d0 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1657,6 +1657,9 @@ static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, { struct sock *sk = chan->data; + if (!sk) + return; + sk->sk_state = state; if (err) -- cgit 1.3-korg
1810e42ff671Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 9de1e3ca939437..d1017d7f5ca78f 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1643,6 +1643,9 @@ static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, { struct sock *sk = chan->data; + if (!sk) + return; + sk->sk_state = state; if (err) -- cgit 1.3-korg
c88c185ae0a1Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 88b4625a45b3e4..7e0da1bdffdaa4 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1630,6 +1630,9 @@ static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, { struct sock *sk = chan->data; + if (!sk) + return; + sk->sk_state = state; if (err) -- cgit 1.3-korg
a2dcf1a61d05Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 8994e9c5d179ae..1cf70eaeb1ee77 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1660,6 +1660,9 @@ static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, { struct sock *sk = chan->data; + if (!sk) + return; + sk->sk_state = state; if (err) -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing NULL pointer check in l2cap_sock_state_change_cb() before dereferencing chan->data."
Attack vector
An attacker can trigger a NULL-pointer dereference by causing an L2CAP channel state change callback to fire after the associated socket has already been cleaned up (i.e., `chan->data` set to NULL). This can occur through Bluetooth protocol interactions that lead to a race condition or improper channel lifecycle management. The callback `l2cap_sock_state_change_cb()` then attempts to write to `sk->sk_state` on a NULL pointer, causing a kernel crash (denial of service).
Affected code
The vulnerability is in the function `l2cap_sock_state_change_cb()` in `net/bluetooth/l2cap_sock.c`. The function dereferences `chan->data` to obtain a `struct sock *sk` and then accesses `sk->sk_state` without first checking whether `sk` is NULL [patch_id=2565415].
What the fix does
The patch adds a NULL guard at the top of `l2cap_sock_state_change_cb()`: `if (!sk) return;` [patch_id=2565415]. This mirrors the same NULL check already present in the sibling callbacks `l2cap_sock_resume_cb()` and `l2cap_sock_ready_cb()`. By returning early when `sk` is NULL, the fix prevents the subsequent dereference of `sk->sk_state` from operating on a NULL pointer, eliminating the null-ptr-deref.
Preconditions
- networkThe attacker must be able to interact with the Bluetooth subsystem to trigger an L2CAP channel state change after the associated socket has been freed or its data pointer set to NULL.
- authNo special authentication is required; the vulnerability can be triggered by a remote Bluetooth peer or a local process.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/1810e42ff6716f320c7269d5850eca48b07b7427nvd
- git.kernel.org/stable/c/2ff1a41a912de8517b4482e946dd951b7d80edbfnvd
- git.kernel.org/stable/c/5105f3e6b2df619c635b5f6a49fac131a36c7952nvd
- git.kernel.org/stable/c/a2dcf1a61d056aef15b63c6eae9441344d624389nvd
- git.kernel.org/stable/c/c88c185ae0a1067823661b220aeea613df2c127bnvd
News mentions
0No linked articles in our index yet.