Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()

Add the same NULL guard already present in
l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Published: 2026-05-26
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference in the Bluetooth L2CAP layer of the Linux kernel can cause the operating system to crash when a socket’s state changes. The vulnerable callback l2cap_sock_state_change_cb() lacked a null guard that is present in similar callbacks, and when triggered the kernel panics, resulting in a denial of service for the host.

Affected Systems

The flaw exists in all Linux kernel releases prior to commit 1810e42ff6716f320c7269d5850eca48b07b7427. Any system running an unpatched kernel with the Bluetooth L2CAP interface enabled is susceptible. The change is specific to the kernel’s Bluetooth implementation and does not affect user‑space applications directly.

Risk and Exploitability

The EPSS score is <1% and the flaw is not listed in CISA KEV, indicating no current documented exploitation. The CVSS score is 5.5. However, a kernel crash is a severe impact, and the bug can be triggered by sending crafted Bluetooth traffic that causes a socket state transition. Attackers would need the ability to interact with the Bluetooth subsystem, which could be local or potentially remote if the system exposes Bluetooth services. Because the flaw arises from a missing null guard, it cannot be exploited for code execution or privilege escalation based on the current description.

Generated by OpenCVE AI on May 28, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes commit 1810e42ff6716f320c7269d5850eca48b07b7427
  • If an update is not immediately feasible, disable L2CAP sockets or block all Bluetooth traffic until the fix is applied
  • Limit local users’ interaction with Bluetooth devices by restricting access to /dev/bnep and /dev/bluetooth interfaces to privileged users only

Generated by OpenCVE AI on May 28, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 26 May 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
Title Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:45:52.350Z

Reserved: 2026-05-13T15:03:33.077Z

Link: CVE-2026-45834

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-26T17:16:48.073

Modified: 2026-06-01T17:17:11.173

Link: CVE-2026-45834

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-26T00:00:00Z

Links: CVE-2026-45834 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T01:30:03Z

Weaknesses