CVE-2026-53071
HIGHBluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
Title source: cnaDescription
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it. Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(), and l2cap_chan_unlock() and l2cap_chan_put() after, matching the pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().
References (11)
Core 11
Core References
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-53071
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2492458
Scores
CVSS v3
8.8
EPSS
0.0027
EPSS Percentile
18.3%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-416
Status
published
Products (25)
linux/Kernel
5.11.0 - 5.15.209linux
linux/Kernel
5.16.0 - 6.1.175linux
linux/Kernel
5.7.0 - 5.10.258linux
linux/Kernel
6.13.0 - 6.18.33linux
linux/Kernel
6.19.0 - 7.0.10linux
linux/Kernel
6.2.0 - 6.6.141linux
linux/Kernel
6.7.0 - 6.12.91linux
Linux/Linux
< 5.7
Linux/Linux
15f02b91056253e8cdc592888f431da0731337b8 - 0ccd75c51f620374086f359e906917676e699a1c
Linux/Linux
15f02b91056253e8cdc592888f431da0731337b8 - 330b20ec97916961ee0e6c29c06bc0fa7c96e64c
... and 15 more
Published
Jun 24, 2026
Tracked Since
Jun 24, 2026