CVE-2026-45836
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A null-pointer dereference in the Linux kernel's Bluetooth L2CAP socket handler can be triggered by a crafted sequence of operations, potentially causing a denial of service.
Vulnerability
A null-pointer dereference (null-ptr-deref) vulnerability exists in the l2cap_sock_get_sndtimeo_cb() function in the Linux kernel's Bluetooth L2CAP implementation. The issue occurs because the function lacks a NULL guard similar to those already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). This can lead to a denial of service (system crash) when a socket is in a certain state. The vulnerability affects the Linux kernel versions prior to the stable commits referenced [1][2][3][4].
Exploitation
Exploitation requires a local attacker with the ability to interact with a Bluetooth L2CAP socket in a way that triggers the vulnerable code path. The exact conditions involve a specific sequence of socket operations that cause l2cap_sock_get_sndtimeo_cb() to be called on a socket that has already been freed or is in an invalid state, resulting in a NULL pointer being dereferenced. No special privilege beyond local user access to Bluetooth sockets is likely needed, but the attack would require precise timing and control over the socket lifecycle.
Impact
Successful exploitation results in a kernel NULL pointer dereference, leading to a system crash (denial of service). This is a reliability impact, as the attacker can cause the targeted system to become unavailable. There is no indication of privilege escalation or data leakage from the available references.
Mitigation
The fix has been applied in the Linux kernel stable commits [1][2][3][4], which add the missing NULL check. Users should update their kernel to a version that includes one of these commits. As of the publication date (2026-05-26), the fix is available in the upstream stable tree. No workaround is documented in the provided references; applying the kernel patch is the recommended mitigation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1078a88d43dab8Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index fb3cb70a5a39d0..879c9f90269a87 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1761,6 +1761,9 @@ static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) { struct sock *sk = chan->data; + if (!sk) + return 0; + return READ_ONCE(sk->sk_sndtimeo); } -- cgit 1.3-korg
a93d66907dd4Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 1cf70eaeb1ee77..cf590a67d3641c 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1764,6 +1764,9 @@ static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) { struct sock *sk = chan->data; + if (!sk) + return 0; + return READ_ONCE(sk->sk_sndtimeo); } -- cgit 1.3-korg
32bd343803d4Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index d1017d7f5ca78f..15637402a39de8 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1747,6 +1747,9 @@ static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) { struct sock *sk = chan->data; + if (!sk) + return 0; + return READ_ONCE(sk->sk_sndtimeo); } -- cgit 1.3-korg
58dc5e3d8768Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 7e0da1bdffdaa4..aeaff5ccac395c 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1734,6 +1734,9 @@ static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) { struct sock *sk = chan->data; + if (!sk) + return 0; + return sk->sk_sndtimeo; } -- cgit 1.3-korg
cf1fd517f892Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index a9816313407539..fd727a2961fa7e 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1731,6 +1731,9 @@ static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) { struct sock *sk = chan->data; + if (!sk) + return 0; + return sk->sk_sndtimeo; } -- cgit 1.3-korg
a93d66907dd4Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 1cf70eaeb1ee77..cf590a67d3641c 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1764,6 +1764,9 @@ static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) { struct sock *sk = chan->data; + if (!sk) + return 0; + return READ_ONCE(sk->sk_sndtimeo); } -- cgit 1.3-korg
cf1fd517f892Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index a9816313407539..fd727a2961fa7e 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1731,6 +1731,9 @@ static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) { struct sock *sk = chan->data; + if (!sk) + return 0; + return sk->sk_sndtimeo; } -- cgit 1.3-korg
32bd343803d4Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index d1017d7f5ca78f..15637402a39de8 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1747,6 +1747,9 @@ static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) { struct sock *sk = chan->data; + if (!sk) + return 0; + return READ_ONCE(sk->sk_sndtimeo); } -- cgit 1.3-korg
78a88d43dab8Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index fb3cb70a5a39d0..879c9f90269a87 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1761,6 +1761,9 @@ static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) { struct sock *sk = chan->data; + if (!sk) + return 0; + return READ_ONCE(sk->sk_sndtimeo); } -- cgit 1.3-korg
58dc5e3d8768Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
1 file changed · +3 −1
net/bluetooth/l2cap_sock.c+3 −1 modifieddiff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 7e0da1bdffdaa4..aeaff5ccac395c 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1734,6 +1734,9 @@ static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) { struct sock *sk = chan->data; + if (!sk) + return 0; + return sk->sk_sndtimeo; } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing NULL pointer check in l2cap_sock_get_sndtimeo_cb() allows dereferencing chan->data when it is NULL."
Attack vector
An attacker can trigger a NULL-pointer dereference in the Bluetooth L2CAP subsystem by causing the L2CAP channel's `data` field (which points to a `struct sock`) to become NULL before `l2cap_sock_get_sndtimeo_cb()` is called. This can occur during certain channel lifecycle transitions where the socket has been detached from the channel but the callback is still invoked. The crash manifests as a kernel NULL-pointer dereference, leading to a denial of service (system panic or oops). No authentication or special privileges are required beyond the ability to interact with the Bluetooth stack.
Affected code
The vulnerable function is `l2cap_sock_get_sndtimeo_cb()` in `net/bluetooth/l2cap_sock.c`. The function retrieves `struct sock *sk = chan->data` and then directly accesses `sk->sk_sndtimeo` (or `READ_ONCE(sk->sk_sndtimeo)`) without first checking whether `sk` is NULL.
What the fix does
The patch adds a NULL guard (`if (!sk) return 0;`) at the top of `l2cap_sock_get_sndtimeo_cb()` in `net/bluetooth/l2cap_sock.c` [patch_id=2565396]. This mirrors the same NULL check already present in the sibling callbacks `l2cap_sock_resume_cb()` and `l2cap_sock_ready_cb()`. By returning 0 early when `chan->data` is NULL, the function avoids dereferencing a NULL pointer, preventing the null-ptr-deref crash.
Preconditions
- inputThe attacker must be able to interact with the Bluetooth stack (e.g., via L2CAP connections) to trigger a channel lifecycle state where chan->data becomes NULL before the callback is invoked.
- configThe system must have the Bluetooth subsystem enabled and an L2CAP channel in a state that invokes l2cap_sock_get_sndtimeo_cb() after the socket has been detached.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/32bd343803d4ba47cc516f9d5f037f01b855d767nvd
- git.kernel.org/stable/c/58dc5e3d8768e121907608e6e196a908512fb083nvd
- git.kernel.org/stable/c/78a88d43dab8d23aeef934ed8ce34d40e6b3d613nvd
- git.kernel.org/stable/c/a93d66907dd4d29b65c9797a93784bf61906d6d6nvd
- git.kernel.org/stable/c/cf1fd517f892ded88168df878f834b625133f86dnvd
News mentions
0No linked articles in our index yet.