CVE-2026-23462

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: HIDP: Fix possible UAF

This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called:

[ 97.809249] l2capconnfree: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: reprostandalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 [ 97.809947] Call Trace: [ 97.809954] <TASK> [ 97.809961] dumpstacklvl (lib/dumpstack.c:122) [ 97.809990] l2capconnfree (net/bluetooth/l2capcore.c:1808) [ 97.810017] l2capconndel (./include/linux/kref.h:66 net/bluetooth/l2capcore.c:1821 net/bluetooth/l2capcore.c:1798) [ 97.810055] l2capdisconncfm (net/bluetooth/l2capcore.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1)) [ 97.810086] ? __pfxl2capdisconncfm (net/bluetooth/l2capcore.c:7341) [ 97.810117] hciconnhashflush (./include/net/bluetooth/hcicore.h:2152 (discriminator 2) net/bluetooth/hciconn.c:2644 (discriminator 2)) [ 97.810148] hcidevclosesync (net/bluetooth/hci_sync.c:5360) [ 97.810180] ? __pfxhcidevclosesync (net/bluetooth/hcisync.c:5285) [ 97.810212] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 97.810242] ? upwrite (./arch/x86/include/asm/atomic6464.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5)) [ 97.810267] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 97.810290] ? rcuiswatching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/contexttracking.h:128 kernel/rcu/tree.c:752) [ 97.810320] hciunregisterdev (net/bluetooth/hcicore.c:504 net/bluetooth/hcicore.c:2716) [ 97.810346] vhcirelease (drivers/bluetooth/hcivhci.c:691) [ 97.810375] ? __pfxvhcirelease (drivers/bluetooth/hci_vhci.c:678) [ 97.810404] __fput (fs/filetable.c:470) [ 97.810430] taskworkrun (kernel/taskwork.c:235) [ 97.810451] ? __pfxtaskworkrun (kernel/taskwork.c:201) [ 97.810472] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 97.810495] ? dorawspinunlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlockdebug.c:142 (discriminator 5)) [ 97.810527] doexit (kernel/exit.c:972) [ 97.810547] ? srsoaliasreturn_thunk (arch/x86/lib/retpoline.S:221) [ 97.810574] ? __pfxdoexit (kernel/exit.c:897) [ 97.810594] ? lockacquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) [ 97.810616] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 97.810639] ? dorawspinlock (kernel/locking/spinlockdebug.c:95 (discriminator 4) kernel/locking/spinlockdebug.c:118 (discriminator 4)) [ 97.810664] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 97.810688] ? findheldlock (kernel/locking/lockdep.c:5350 (discriminator 1)) [ 97.810721] dogroupexit (kernel/exit.c:1093) [ 97.810745] getsignal (kernel/signal.c:3007 (discriminator 1)) [ 97.810772] ? securityfilepermission (./arch/x86/include/asm/jumplabel.h:37 security/security.c:2366) [ 97.810803] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 97.810826] ? vfsread (fs/read_write.c:555) [ 97.810854] ? __pfxgetsignal (kernel/signal.c:2800) [ 97.810880] ? srsoaliasreturn_thunk (arch/x86/lib/retpoline.S:221) [ 97.810905] ? __pfxvfsread (fs/readwrite.c:555) [ 97.810932] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 97.810960] archdosignalorrestart (arch/ ---truncated---