{"id":"CVE-2026-23461","summary":"Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user\n\nAfter commit ab4eedb790ca (\"Bluetooth: L2CAP: Fix corrupted list in\nhci_chan_del\"), l2cap_conn_del() uses conn-\u003elock to protect access to\nconn-\u003eusers. However, l2cap_register_user() and l2cap_unregister_user()\ndon't use conn-\u003elock, creating a race condition where these functions can\naccess conn-\u003eusers and conn-\u003ehchan concurrently with l2cap_conn_del().\n\nThis can lead to use-after-free and list corruption bugs, as reported\nby syzbot.\n\nFix this by changing l2cap_register_user() and l2cap_unregister_user()\nto use conn-\u003elock instead of hci_dev_lock(), ensuring consistent locking\nfor the l2cap_conn structure.","modified":"2026-04-14T03:48:06.128663Z","published":"2026-04-03T15:15:41.051Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23461.json"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/11a87dd5df428a4b79a84d2790cac7f3c73f1f0d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/71030f3b3015a412133a805ff47970cdcf30c2b8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/752a6c9596dd25efd6978a73ff21f3b592668f4a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/da3000cbe4851458a22be38bb18c0689c39fdd5f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23461.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23461"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"efc30877bd4bc85fefe98d80af60fafc86e5775e"},{"fixed":"11a87dd5df428a4b79a84d2790cac7f3c73f1f0d"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f87271d21dd4ee83857ca11b94e7b4952749bbae"},{"fixed":"c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ab4eedb790cae44313759b50fe47da285e2519d5"},{"fixed":"da3000cbe4851458a22be38bb18c0689c39fdd5f"},{"fixed":"71030f3b3015a412133a805ff47970cdcf30c2b8"},{"fixed":"752a6c9596dd25efd6978a73ff21f3b592668f4a"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"18ab6b6078fa8191ca30a3065d57bf35d5635761"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23461.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.130"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.20"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.14.0"},{"fixed":"6.19.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23461.json"}}],"schema_version":"1.7.5"}