CVE-2026-23461

Summary

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user

After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del().

This can lead to use-after-free and list corruption bugs, as reported by syzbot.

Fix this by changing l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxefc30877bd4bc85fefe98d80af60fafc86e5775e < 11a87dd5df428a4b79a84d2790cac7f3c73f1f0daffected
LinuxLinuxf87271d21dd4ee83857ca11b94e7b4952749bbae < c22a5e659959eb77c2fbb58a5adfaf3c3dab7abfaffected
LinuxLinuxab4eedb790cae44313759b50fe47da285e2519d5 < da3000cbe4851458a22be38bb18c0689c39fdd5faffected
LinuxLinuxab4eedb790cae44313759b50fe47da285e2519d5 < 71030f3b3015a412133a805ff47970cdcf30c2b8affected
LinuxLinuxab4eedb790cae44313759b50fe47da285e2519d5 < 752a6c9596dd25efd6978a73ff21f3b592668f4aaffected
LinuxLinux18ab6b6078fa8191ca30a3065d57bf35d5635761affected
LinuxLinux6.6.84 < 6.6.130affected
LinuxLinux6.12.20 < 6.12.78affected
LinuxLinux6.13.8 < 6.14affected
LinuxLinux6.14affected
LinuxLinux0 < 6.14unaffected
LinuxLinux6.6.130 <= 6.6.*unaffected
LinuxLinux6.12.78 <= 6.12.*unaffected
LinuxLinux6.18.20 <= 6.18.*unaffected
LinuxLinux6.19.10 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References