CVE-2026-23461
- Source
- https://cve.org/CVERecord?id=CVE-2026-23461
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23461.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23461
- Downstream
- Published
- 2026-04-03T15:15:41.051Z
- Modified
- 2026-05-15T04:14:26.251786849Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix use-after-free in l2capunregisteruser
After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hcichandel"), l2capconndel() uses conn->lock to protect access to conn->users. However, l2capregisteruser() and l2capunregisteruser() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2capconndel().
This can lead to use-after-free and list corruption bugs, as reported by syzbot.
Fix this by changing l2capregisteruser() and l2capunregisteruser() to use conn->lock instead of hcidevlock(), ensuring consistent locking for the l2cap_conn structure.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23461.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/11a87dd5df428a4b79a84d2790cac7f3c73f1f0d
- https://git.kernel.org/stable/c/71030f3b3015a412133a805ff47970cdcf30c2b8
- https://git.kernel.org/stable/c/752a6c9596dd25efd6978a73ff21f3b592668f4a
- https://git.kernel.org/stable/c/c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf
- https://git.kernel.org/stable/c/da3000cbe4851458a22be38bb18c0689c39fdd5f
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23461.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23461
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Linux / Kernel
Package
- Name
- Kernel