Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()

l2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer
and id_addr_timer while holding conn->lock. However, the work functions
l2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire
conn->lock, creating a potential AB-BA deadlock if the work is already
executing when l2cap_conn_del() takes the lock.

Move the work cancellations before acquiring conn->lock and use
disable_delayed_work_sync() to additionally prevent the works from
being rearmed after cancellation, consistent with the pattern used in
hci_conn_del().
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A deadlock can occur when the Bluetooth L2CAP connection teardown routine holds a lock while cancelling delayed work that also tries to acquire the same lock. If the work is already executing, the routine may deadlock, freezing the task that performed the deletion and potentially hanging dependent processes. The flaw results in a denial of service rather than a breach of confidentiality or integrity. The attack vector is inferred to involve an attacker capable of initiating a Bluetooth L2CAP connection deletion while the timers remain active, which can be achieved either remotely as a malicious Bluetooth client or locally by a user with sufficient privileges.

Affected Systems

All Linux kernel installations that contain the L2CAP code before the referenced patch are affected. This includes any Linux distribution that has not yet applied the commit that moves the work cancellations outside the lock. The precise kernel versions are not listed, but the fix is present in patches traced by the Git commit links provided.

Risk and Exploitability

The exploitability is limited to contexts where an attacker can trigger an L2CAP connection delete while the related timers are active, which could be achieved through a malicious Bluetooth client or a local user with the ability to manage Bluetooth connections. Because the description does not explicitly state the attack vector, it is inferred that an attacker must be able to trigger L2CAP connection deletion while the timers are active, either remotely as a Bluetooth client or locally as a user with privileges. The CVSS score is 5.5 and the EPSS score is < 1%; the vulnerability is not listed in the CISA KEV catalog, indicating that it might not be actively exploited in the wild. Nonetheless, the potential for a service disruption warrants prompt remediation.

Generated by OpenCVE AI on April 29, 2026 at 01:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that contains the L2CAP deadlock fix, ensuring the kernel commits referenced in the advisory are applied.
  • If a kernel update is not immediately possible, temporarily disable the Bluetooth L2CAP interface or the entire Bluetooth stack to prevent the use of the vulnerable code path.
  • Reboot the system after applying the kernel update to activate the new code.

Generated by OpenCVE AI on April 29, 2026 at 01:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824

Tue, 28 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667
CPEs cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 27 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-833
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() l2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer and id_addr_timer while holding conn->lock. However, the work functions l2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire conn->lock, creating a potential AB-BA deadlock if the work is already executing when l2cap_conn_del() takes the lock. Move the work cancellations before acquiring conn->lock and use disable_delayed_work_sync() to additionally prevent the works from being rearmed after cancellation, consistent with the pattern used in hci_conn_del().
Title Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-14T14:30:11.358Z

Reserved: 2026-03-09T15:48:24.104Z

Link: CVE-2026-31499

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-04-22T14:16:48.283

Modified: 2026-05-14T15:16:45.357

Link: CVE-2026-31499

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31499 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:00:27Z

Weaknesses