{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23461","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:46.021Z","datePublished":"2026-04-03T15:15:41.051Z","dateUpdated":"2026-05-11T22:07:26.122Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:07:26.122Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user\n\nAfter commit ab4eedb790ca (\"Bluetooth: L2CAP: Fix corrupted list in\nhci_chan_del\"), l2cap_conn_del() uses conn->lock to protect access to\nconn->users. However, l2cap_register_user() and l2cap_unregister_user()\ndon't use conn->lock, creating a race condition where these functions can\naccess conn->users and conn->hchan concurrently with l2cap_conn_del().\n\nThis can lead to use-after-free and list corruption bugs, as reported\nby syzbot.\n\nFix this by changing l2cap_register_user() and l2cap_unregister_user()\nto use conn->lock instead of hci_dev_lock(), ensuring consistent locking\nfor the l2cap_conn structure."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/l2cap_core.c"],"versions":[{"version":"efc30877bd4bc85fefe98d80af60fafc86e5775e","lessThan":"11a87dd5df428a4b79a84d2790cac7f3c73f1f0d","status":"affected","versionType":"git"},{"version":"f87271d21dd4ee83857ca11b94e7b4952749bbae","lessThan":"c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf","status":"affected","versionType":"git"},{"version":"ab4eedb790cae44313759b50fe47da285e2519d5","lessThan":"da3000cbe4851458a22be38bb18c0689c39fdd5f","status":"affected","versionType":"git"},{"version":"ab4eedb790cae44313759b50fe47da285e2519d5","lessThan":"71030f3b3015a412133a805ff47970cdcf30c2b8","status":"affected","versionType":"git"},{"version":"ab4eedb790cae44313759b50fe47da285e2519d5","lessThan":"752a6c9596dd25efd6978a73ff21f3b592668f4a","status":"affected","versionType":"git"},{"version":"18ab6b6078fa8191ca30a3065d57bf35d5635761","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/l2cap_core.c"],"versions":[{"version":"6.14","status":"affected"},{"version":"0","lessThan":"6.14","status":"unaffected","versionType":"semver"},{"version":"6.6.130","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.78","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.20","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.10","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.84","versionEndExcluding":"6.6.130"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.20","versionEndExcluding":"6.12.78"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.18.20"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.19.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"7.0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/11a87dd5df428a4b79a84d2790cac7f3c73f1f0d"},{"url":"https://git.kernel.org/stable/c/c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf"},{"url":"https://git.kernel.org/stable/c/da3000cbe4851458a22be38bb18c0689c39fdd5f"},{"url":"https://git.kernel.org/stable/c/71030f3b3015a412133a805ff47970cdcf30c2b8"},{"url":"https://git.kernel.org/stable/c/752a6c9596dd25efd6978a73ff21f3b592668f4a"}],"title":"Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user","x_generator":{"engine":"bippy-1.2.0"}}}}