CVE-2026-23461
- Source
- https://cve.org/CVERecord?id=CVE-2026-23461
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23461.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23461
- Downstream
- Published
- 2026-04-03T15:15:41.051Z
- Modified
- 2026-04-14T03:48:06.128663Z
- Summary
- Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix use-after-free in l2capunregisteruser
After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hcichandel"), l2capconndel() uses conn->lock to protect access to conn->users. However, l2capregisteruser() and l2capunregisteruser() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2capconndel().
This can lead to use-after-free and list corruption bugs, as reported by syzbot.
Fix this by changing l2capregisteruser() and l2capunregisteruser() to use conn->lock instead of hcidevlock(), ensuring consistent locking for the l2cap_conn structure.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23461.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/11a87dd5df428a4b79a84d2790cac7f3c73f1f0d
- https://git.kernel.org/stable/c/71030f3b3015a412133a805ff47970cdcf30c2b8
- https://git.kernel.org/stable/c/752a6c9596dd25efd6978a73ff21f3b592668f4a
- https://git.kernel.org/stable/c/c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf
- https://git.kernel.org/stable/c/da3000cbe4851458a22be38bb18c0689c39fdd5f
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23461.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23461
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedefc30877bd4bc85fefe98d80af60fafc86e5775eFixed11a87dd5df428a4b79a84d2790cac7f3c73f1f0d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedf87271d21dd4ee83857ca11b94e7b4952749bbaeFixedc22a5e659959eb77c2fbb58a5adfaf3c3dab7abf
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedab4eedb790cae44313759b50fe47da285e2519d5Fixedda3000cbe4851458a22be38bb18c0689c39fdd5fFixed71030f3b3015a412133a805ff47970cdcf30c2b8Fixed752a6c9596dd25efd6978a73ff21f3b592668f4a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected18ab6b6078fa8191ca30a3065d57bf35d5635761
Linux / Kernel
Package
- Name
- Kernel