{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31499","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.104Z","datePublished":"2026-04-22T13:54:20.384Z","dateUpdated":"2026-05-14T14:30:11.358Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-14T14:30:11.358Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix deadlock in l2cap_conn_del()\n\nl2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer\nand id_addr_timer while holding conn->lock. However, the work functions\nl2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire\nconn->lock, creating a potential AB-BA deadlock if the work is already\nexecuting when l2cap_conn_del() takes the lock.\n\nMove the work cancellations before acquiring conn->lock and use\ndisable_delayed_work_sync() to additionally prevent the works from\nbeing rearmed after cancellation, consistent with the pattern used in\nhci_conn_del()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/l2cap_core.c"],"versions":[{"version":"f87271d21dd4ee83857ca11b94e7b4952749bbae","lessThan":"f7f35a4f7fd574f5889bb2e4b397e14cbb83f6da","status":"affected","versionType":"git"},{"version":"ab4eedb790cae44313759b50fe47da285e2519d5","lessThan":"3f26ecbd9cde621dd94be7ef252c7210b965a5c7","status":"affected","versionType":"git"},{"version":"ab4eedb790cae44313759b50fe47da285e2519d5","lessThan":"d008460de352e534f6721de829b093368564ec66","status":"affected","versionType":"git"},{"version":"ab4eedb790cae44313759b50fe47da285e2519d5","lessThan":"00fdebbbc557a2fc21321ff2eaa22fd70c078608","status":"affected","versionType":"git"},{"version":"efc30877bd4bc85fefe98d80af60fafc86e5775e","status":"affected","versionType":"git"},{"version":"18ab6b6078fa8191ca30a3065d57bf35d5635761","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/l2cap_core.c"],"versions":[{"version":"6.14","status":"affected"},{"version":"0","lessThan":"6.14","status":"unaffected","versionType":"semver"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.20","versionEndExcluding":"6.12.88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.18.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.19.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"7.0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.84"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f7f35a4f7fd574f5889bb2e4b397e14cbb83f6da"},{"url":"https://git.kernel.org/stable/c/3f26ecbd9cde621dd94be7ef252c7210b965a5c7"},{"url":"https://git.kernel.org/stable/c/d008460de352e534f6721de829b093368564ec66"},{"url":"https://git.kernel.org/stable/c/00fdebbbc557a2fc21321ff2eaa22fd70c078608"}],"title":"Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()","x_generator":{"engine":"bippy-1.2.0"}}}}