8.8
CVE-2026-53071
- EPSS 0.27%
- Veröffentlicht 24.06.2026 16:30:12
- Zuletzt bearbeitet 08.07.2026 13:16:53
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it. Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(), and l2cap_chan_unlock() and l2cap_chan_put() after, matching the pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 10
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 8
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 9
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 6
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 7
Default Statusunaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.27% | 0.183 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/96dca51715d86559ed6ed8028e5445cecb80f3ae
https://git.kernel.org/stable/c/330b20ec97916961ee0e6c29c06bc0fa7c96e64c
https://git.kernel.org/stable/c/0ccd75c51f620374086f359e906917676e699a1c
https://git.kernel.org/stable/c/77a853aec710b2fdf41fa298ea3cbc9a4358f917
https://git.kernel.org/stable/c/fe1188abdae9b7a8199dcdfcf9244d5e5d61eb14
https://git.kernel.org/stable/c/dc89961b76f12aff47124c1df4bdb32a080f4d0c
https://git.kernel.org/stable/c/5501d055a1ce3c747141e3955ba8cf034d193f3e
https://git.kernel.org/stable/c/42776497cdbc9a665b384a6dcb85f0d4bd927eab
https://bugzilla.redhat.com/show_bug.cgi?id=2492458
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53071.json
https://access.redhat.com/security/cve/CVE-2026-53071