CVE-2026-23461 PUBLISHED

Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user

Assigner: Linux
Reserved: 13.01.2026 Published: 03.04.2026 Updated: 03.04.2026

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user

After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del().

This can lead to use-after-free and list corruption bugs, as reported by syzbot.

Fix this by changing l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from efc30877bd4bc85fefe98d80af60fafc86e5775e to 11a87dd5df428a4b79a84d2790cac7f3c73f1f0d (excl.)
  • affected from f87271d21dd4ee83857ca11b94e7b4952749bbae to c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf (excl.)
  • affected from ab4eedb790cae44313759b50fe47da285e2519d5 to da3000cbe4851458a22be38bb18c0689c39fdd5f (excl.)
  • affected from ab4eedb790cae44313759b50fe47da285e2519d5 to 71030f3b3015a412133a805ff47970cdcf30c2b8 (excl.)
  • affected from ab4eedb790cae44313759b50fe47da285e2519d5 to 752a6c9596dd25efd6978a73ff21f3b592668f4a (excl.)
  • Version 18ab6b6078fa8191ca30a3065d57bf35d5635761 is affected
Vendor Linux
Product Linux
Versions Default: affected
  • Version 6.14 is affected
  • unaffected from 0 to 6.14 (excl.)
  • unaffected from 6.6.130 to 6.6.* (incl.)
  • unaffected from 6.12.78 to 6.12.* (incl.)
  • unaffected from 6.18.20 to 6.18.* (incl.)
  • unaffected from 6.19.10 to 6.19.* (incl.)
  • unaffected from 7.0-rc5 to * (incl.)

References