CVE-2026-53071

HIGH

Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it. Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(), and l2cap_chan_unlock() and l2cap_chan_put() after, matching the pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().

Scores

CVSS v3 8.8
EPSS 0.0027
EPSS Percentile 18.3%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (25)
linux/Kernel 5.11.0 - 5.15.209linux
linux/Kernel 5.16.0 - 6.1.175linux
linux/Kernel 5.7.0 - 5.10.258linux
linux/Kernel 6.13.0 - 6.18.33linux
linux/Kernel 6.19.0 - 7.0.10linux
linux/Kernel 6.2.0 - 6.6.141linux
linux/Kernel 6.7.0 - 6.12.91linux
Linux/Linux < 5.7
Linux/Linux 15f02b91056253e8cdc592888f431da0731337b8 - 0ccd75c51f620374086f359e906917676e699a1c
Linux/Linux 15f02b91056253e8cdc592888f431da0731337b8 - 330b20ec97916961ee0e6c29c06bc0fa7c96e64c
... and 15 more
Published Jun 24, 2026
Tracked Since Jun 24, 2026