Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user

After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in
hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to
conn->users. However, l2cap_register_user() and l2cap_unregister_user()
don't use conn->lock, creating a race condition where these functions can
access conn->users and conn->hchan concurrently with l2cap_conn_del().

This can lead to use-after-free and list corruption bugs, as reported
by syzbot.

Fix this by changing l2cap_register_user() and l2cap_unregister_user()
to use conn->lock instead of hci_dev_lock(), ensuring consistent locking
for the l2cap_conn structure.
Published: 2026-04-03
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑free may lead to memory corruption and potential code execution
Action: Immediate Patch
AI Analysis

Impact

A race condition in the Linux kernel’s Bluetooth L2CAP subsystem allows concurrent manipulation of the l2cap_conn structure without appropriate locking. The functions l2cap_register_user() and l2cap_unregister_user() used hci_dev_lock instead of conn->lock, overlapping with l2cap_conn_del() and creating a use‑after‑free and list corruption scenario. If triggered, this could corrupt kernel memory or provide a foothold for code execution.

Affected Systems

The flaw affects all Linux kernels that include the buggy Bluetooth L2CAP implementation before the commit ab4eedb790ca. As the vendor list indicates Linux:Linux, any distribution shipping an older kernel build is potentially vulnerable. The fix is incorporated in kernel revisions containing that commit, so systems running newer kernels are safe.

Risk and Exploitability

The CVSS score of 8.8 indicates high impact, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is via the Bluetooth interface, where an attacker could craft traffic to trigger the race condition. This inference is based on the description that the flaw involves Bluetooth L2CAP, and no publicly disclosed exploit is available.

Generated by OpenCVE AI on April 28, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains commit ab4eedb790ca or later.
  • Apply any vendor‑supplied security patches or backported fixes for the Bluetooth L2CAP subsystem.
  • Maintain regular updates and monitor kernel changelogs for additional Bluetooth L2CAP patches.

Generated by OpenCVE AI on April 28, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-413
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del(). This can lead to use-after-free and list corruption bugs, as reported by syzbot. Fix this by changing l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure.
Title Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:38.897Z

Reserved: 2026-01-13T15:37:46.021Z

Link: CVE-2026-23461

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:33.140

Modified: 2026-04-27T14:16:34.603

Link: CVE-2026-23461

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23461 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:45:06Z

Weaknesses