8.8

CVE-2026-53071

Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp

l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding
l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file
acquires the lock first. A remote BLE device can send a crafted
L2CAP ECRED reconfiguration response to corrupt the channel list
while another thread is iterating it.

Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(),
and l2cap_chan_unlock() and l2cap_chan_put() after, matching the
pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 10
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 8
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 9
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 6
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 7
Default Statusunaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.27% 0.183
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 8.8 2.8 5.9
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 1.6 5.9
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/96dca51715d86559ed6ed8028e5445cecb80f3ae
https://git.kernel.org/stable/c/330b20ec97916961ee0e6c29c06bc0fa7c96e64c
https://git.kernel.org/stable/c/0ccd75c51f620374086f359e906917676e699a1c
https://git.kernel.org/stable/c/77a853aec710b2fdf41fa298ea3cbc9a4358f917
https://git.kernel.org/stable/c/fe1188abdae9b7a8199dcdfcf9244d5e5d61eb14
https://git.kernel.org/stable/c/dc89961b76f12aff47124c1df4bdb32a080f4d0c
https://git.kernel.org/stable/c/5501d055a1ce3c747141e3955ba8cf034d193f3e
https://git.kernel.org/stable/c/42776497cdbc9a665b384a6dcb85f0d4bd927eab
https://bugzilla.redhat.com/show_bug.cgi?id=2492458
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53071.json
https://access.redhat.com/security/cve/CVE-2026-53071