CVE-2026-45835
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A null-pointer dereference in Linux kernel's Bluetooth L2CAP socket callback allows denial of service via crafted Bluetooth connections.
Vulnerability
A null-pointer dereference vulnerability exists in the Linux kernel's Bluetooth L2CAP subsystem, specifically in the l2cap_sock_new_connection_cb() function. When a new L2CAP connection is established, this callback is invoked without ensuring that the associated socket structure is properly initialized, leading to a NULL pointer dereference. The issue affects multiple kernel versions prior to the inclusion of a fix that adds a NULL guard, similar to those already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Exploitation
An attacker within Bluetooth range can trigger the vulnerability by initiating a malicious L2CAP connection attempt that causes the kernel to invoke the vulnerable callback with an uninitialized socket structure. No authentication or prior local access is required; the attack can be performed remotely over Bluetooth.
Impact
Successful exploitation results in a kernel NULL pointer dereference, typically causing a system crash (denial of service). In certain configurations, it may be possible to leverage this for arbitrary code execution, though the primary documented impact is kernel panic.
Mitigation
The fix has been applied in the Linux kernel mainline via commit 76083fb80f5a. Distributions should backport this commit to their stable kernels. Users are advised to update their kernel to the latest patched version. No workaround is available apart from disabling Bluetooth or restricting Bluetooth connections.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
10ab77c8bc3026Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 1960d35b3be0af..a91391a3a9d30a 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1464,6 +1464,9 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) { struct sock *sk, *parent = chan->data; + if (!parent) + return NULL; + lock_sock(parent); /* Check for backlog size */ -- cgit 1.3-korg
76083fb80f5aBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 71e8c1b45bcee1..8994e9c5d179ae 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1498,6 +1498,9 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) { struct sock *sk, *parent = chan->data; + if (!parent) + return NULL; + lock_sock(parent); /* Check for backlog size */ -- cgit 1.3-korg
741e6024e315Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 80a37d56b040f1..9de1e3ca939437 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1480,6 +1480,9 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) { struct sock *sk, *parent = chan->data; + if (!parent) + return NULL; + lock_sock(parent); /* Check for backlog size */ -- cgit 1.3-korg
0a120d961663Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 879c9f90269a87..cf590a67d3641c 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1498,6 +1498,9 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) { struct sock *sk, *parent = chan->data; + if (!parent) + return NULL; + lock_sock(parent); /* Check for backlog size */ -- cgit 1.3-korg
bc3bb9f40da8Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 697b997f3fb653..88b4625a45b3e4 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1467,6 +1467,9 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) { struct sock *sk, *parent = chan->data; + if (!parent) + return NULL; + lock_sock(parent); /* Check for backlog size */ -- cgit 1.3-korg
76083fb80f5aBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 71e8c1b45bcee1..8994e9c5d179ae 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1498,6 +1498,9 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) { struct sock *sk, *parent = chan->data; + if (!parent) + return NULL; + lock_sock(parent); /* Check for backlog size */ -- cgit 1.3-korg
0a120d961663Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 879c9f90269a87..cf590a67d3641c 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1498,6 +1498,9 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) { struct sock *sk, *parent = chan->data; + if (!parent) + return NULL; + lock_sock(parent); /* Check for backlog size */ -- cgit 1.3-korg
bc3bb9f40da8Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 697b997f3fb653..88b4625a45b3e4 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1467,6 +1467,9 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) { struct sock *sk, *parent = chan->data; + if (!parent) + return NULL; + lock_sock(parent); /* Check for backlog size */ -- cgit 1.3-korg
ab77c8bc3026Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 1960d35b3be0af..a91391a3a9d30a 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1464,6 +1464,9 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) { struct sock *sk, *parent = chan->data; + if (!parent) + return NULL; + lock_sock(parent); /* Check for backlog size */ -- cgit 1.3-korg
741e6024e315Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 80a37d56b040f1..9de1e3ca939437 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1480,6 +1480,9 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) { struct sock *sk, *parent = chan->data; + if (!parent) + return NULL; + lock_sock(parent); /* Check for backlog size */ -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing NULL pointer check on `chan->data` (the parent socket) in `l2cap_sock_new_connection_cb()` allows a null-ptr-deref when the callback is invoked without a valid parent socket."
Attack vector
An attacker within Bluetooth range can trigger a null-ptr-deref in the L2CAP layer by causing a new connection callback (`l2cap_sock_new_connection_cb`) to fire on a channel whose `chan->data` pointer (the parent socket) has not been set or has already been cleared. The function dereferences `parent` via `lock_sock(parent)` without a NULL check, leading to a kernel crash. No authentication is required beyond Bluetooth proximity.
Affected code
The vulnerable function is `l2cap_sock_new_connection_cb()` in `net/bluetooth/l2cap_sock.c`. The function retrieves `parent = chan->data` and then calls `lock_sock(parent)` without first checking whether `parent` is NULL.
What the fix does
The patch adds a NULL guard (`if (!parent) return NULL;`) at the top of `l2cap_sock_new_connection_cb()` in `net/bluetooth/l2cap_sock.c`, matching the existing guards already present in `l2cap_sock_resume_cb()` and `l2cap_sock_ready_cb()`. This prevents the null-ptr-deref by returning early when `chan->data` is NULL, avoiding the subsequent `lock_sock(parent)` call on a NULL pointer.
Preconditions
- networkAttacker must be within Bluetooth radio range of the target device.
- configThe target must have Bluetooth enabled and an L2CAP socket in a state where chan->data can be NULL when the new_connection callback fires.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/0a120d96166301d7a95be75b52f843837dbd1219nvd
- git.kernel.org/stable/c/741e6024e31587b0c021b6616a9e428a4ea0b64anvd
- git.kernel.org/stable/c/76083fb80f5a38ac13326b2d810f66bd07771eeanvd
- git.kernel.org/stable/c/ab77c8bc30269bee15d917059a66bea48909f5f0nvd
- git.kernel.org/stable/c/bc3bb9f40da8e53896abc2d29c6d0c6686fe4ab9nvd
News mentions
0No linked articles in our index yet.