{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23461", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.021Z", "datePublished": "2026-04-03T15:15:41.051Z", "dateUpdated": "2026-04-03T15:15:41.051Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:41.051Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user\n\nAfter commit ab4eedb790ca (\"Bluetooth: L2CAP: Fix corrupted list in\nhci_chan_del\"), l2cap_conn_del() uses conn->lock to protect access to\nconn->users. However, l2cap_register_user() and l2cap_unregister_user()\ndon't use conn->lock, creating a race condition where these functions can\naccess conn->users and conn->hchan concurrently with l2cap_conn_del().\n\nThis can lead to use-after-free and list corruption bugs, as reported\nby syzbot.\n\nFix this by changing l2cap_register_user() and l2cap_unregister_user()\nto use conn->lock instead of hci_dev_lock(), ensuring consistent locking\nfor the l2cap_conn structure."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "efc30877bd4bc85fefe98d80af60fafc86e5775e", "lessThan": "11a87dd5df428a4b79a84d2790cac7f3c73f1f0d", "status": "affected", "versionType": "git"}, {"version": "f87271d21dd4ee83857ca11b94e7b4952749bbae", "lessThan": "c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf", "status": "affected", "versionType": "git"}, {"version": "ab4eedb790cae44313759b50fe47da285e2519d5", "lessThan": "da3000cbe4851458a22be38bb18c0689c39fdd5f", "status": "affected", "versionType": "git"}, {"version": "ab4eedb790cae44313759b50fe47da285e2519d5", "lessThan": "71030f3b3015a412133a805ff47970cdcf30c2b8", "status": "affected", "versionType": "git"}, {"version": "ab4eedb790cae44313759b50fe47da285e2519d5", "lessThan": "752a6c9596dd25efd6978a73ff21f3b592668f4a", "status": "affected", "versionType": "git"}, {"version": "18ab6b6078fa8191ca30a3065d57bf35d5635761", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.84", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.20", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "7.0-rc5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/11a87dd5df428a4b79a84d2790cac7f3c73f1f0d"}, {"url": "https://git.kernel.org/stable/c/c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf"}, {"url": "https://git.kernel.org/stable/c/da3000cbe4851458a22be38bb18c0689c39fdd5f"}, {"url": "https://git.kernel.org/stable/c/71030f3b3015a412133a805ff47970cdcf30c2b8"}, {"url": "https://git.kernel.org/stable/c/752a6c9596dd25efd6978a73ff21f3b592668f4a"}], "title": "Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user\n\nAfter commit ab4eedb790ca (\"Bluetooth: L2CAP: Fix corrupted list in\nhci_chan_del\"), l2cap_conn_del() uses conn->lock to protect access to\nconn->users. However, l2cap_register_user() and l2cap_unregister_user()\ndon't use conn->lock, creating a race condition where these functions can\naccess conn->users and conn->hchan concurrently with l2cap_conn_del().\n\nThis can lead to use-after-free and list corruption bugs, as reported\nby syzbot.\n\nFix this by changing l2cap_register_user() and l2cap_unregister_user()\nto use conn->lock instead of hci_dev_lock(), ensuring consistent locking\nfor the l2cap_conn structure."}], "id": "CVE-2026-23461", "lastModified": "2026-04-07T13:21:09.600", "metrics": {}, "published": "2026-04-03T16:16:33.140", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/11a87dd5df428a4b79a84d2790cac7f3c73f1f0d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/71030f3b3015a412133a805ff47970cdcf30c2b8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/752a6c9596dd25efd6978a73ff21f3b592668f4a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/da3000cbe4851458a22be38bb18c0689c39fdd5f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user", "id": "2454828", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454828"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-413", "details": ["A flaw was found in the Linux kernel's Bluetooth L2CAP component. A race condition exists due to inconsistent locking mechanisms when registering and unregistering L2CAP users. This allows concurrent access to shared data structures, leading to use-after-free vulnerabilities and list corruption bugs. Exploitation of this flaw could result in a denial of service."], "name": "CVE-2026-23461", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23461\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23461\nhttps://lore.kernel.org/linux-cve-announce/2026040319-CVE-2026-23461-f03d@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[efc30877bd4bc85fefe98d80af60fafc86e5775e,11a87dd5df428a4b79a84d2790cac7f3c73f1f0d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f87271d21dd4ee83857ca11b94e7b4952749bbae,c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ab4eedb790cae44313759b50fe47da285e2519d5,da3000cbe4851458a22be38bb18c0689c39fdd5f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ab4eedb790cae44313759b50fe47da285e2519d5,71030f3b3015a412133a805ff47970cdcf30c2b8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ab4eedb790cae44313759b50fe47da285e2519d5,752a6c9596dd25efd6978a73ff21f3b592668f4a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "18ab6b6078fa8191ca30a3065d57bf35d5635761"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,7.0-rc5]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-07T10:09:24.493284+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that contains commit ab4eedb790ca or later.", "Verify the kernel version after the update to ensure the fix is present.", "Maintain regular updates and monitor kernel changelogs for additional Bluetooth L2CAP patches."], "summary": {"action": "Immediate Patch", "impact": "Use\u2011after\u2011free may lead to memory corruption and potential code execution"}, "threat_synthesis": {"affected_systems": "The flaw affects all Linux kernels that include the buggy Bluetooth L2CAP implementation before the commit ab4eedb790ca. As the vendor list indicates Linux:Linux, any distribution shipping an older kernel build is potentially vulnerable. The fix is incorporated in kernel revisions containing that commit, so systems running newer kernels are safe.", "description_and_impact": "A race condition in the Linux kernel\u2019s Bluetooth L2CAP subsystem allows concurrent manipulation of the l2cap_conn structure without appropriate locking. The functions l2cap_register_user() and l2cap_unregister_user() used hci_dev_lock instead of conn->lock, overlapping with l2cap_conn_del() and creating a use\u2011after\u2011free and list corruption scenario. If triggered, this could corrupt kernel memory or provide a foothold for code execution.", "risk_and_exploitability": "The CVSS score of 7.0 indicates high impact, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is via the Bluetooth interface, where an attacker could craft traffic to trigger the race condition. This inference is based on the description that the flaw involves Bluetooth L2CAP, and no publicly disclosed exploit is available."}}}}, "created": "2026-04-03T21:13:37.493171+00:00", "updated": "2026-04-08T19:53:45.398099+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}