Bug 2492458 (CVE-2026-53071) - CVE-2026-53071 kernel: Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
Summary: CVE-2026-53071 kernel: Bluetooth: l2cap: Add missing chan lock in l2cap_ecred...
Keywords:
Status: NEW
Alias: CVE-2026-53071
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 18:13 UTC by OSIDB Bzimport
Modified: 2026-07-07 16:42 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 18:13:10 UTC
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp

l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding
l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file
acquires the lock first. A remote BLE device can send a crafted
L2CAP ECRED reconfiguration response to corrupt the channel list
while another thread is iterating it.

Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(),
and l2cap_chan_unlock() and l2cap_chan_put() after, matching the
pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().

Comment 1 Mauro Matteo Cascella 2026-06-25 08:14:37 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062404-CVE-2026-53071-bdae@gregkh/T


Note You need to log in before you can comment on or make changes to this bug.