CVE-2026-53071

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it. Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(), and l2cap_chan_unlock() and l2cap_chan_put() after, matching the pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().

CVSS breakdown

CVSS 3.1

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

Linux / Linux15f02b91056253e8cdc592888f431da0731337b8 – 96dca51715d86559ed6ed8028e5445cecb80f3ae
Linux / Linux15f02b91056253e8cdc592888f431da0731337b8 – 330b20ec97916961ee0e6c29c06bc0fa7c96e64c
Linux / Linux15f02b91056253e8cdc592888f431da0731337b8 – 0ccd75c51f620374086f359e906917676e699a1c
Linux / Linux15f02b91056253e8cdc592888f431da0731337b8 – 77a853aec710b2fdf41fa298ea3cbc9a4358f917
Linux / Linux15f02b91056253e8cdc592888f431da0731337b8 – fe1188abdae9b7a8199dcdfcf9244d5e5d61eb14
Linux / Linux15f02b91056253e8cdc592888f431da0731337b8 – dc89961b76f12aff47124c1df4bdb32a080f4d0c
Linux / Linux15f02b91056253e8cdc592888f431da0731337b8 – 5501d055a1ce3c747141e3955ba8cf034d193f3e
Linux / Linux15f02b91056253e8cdc592888f431da0731337b8 – 42776497cdbc9a665b384a6dcb85f0d4bd927eab
Linux / Linux5.7 – 5.7
Linux / Linux0 – 5.7
Linux / Linux5.10.258 – 5.10.*
Linux / Linux5.15.209 – 5.15.*
Linux / Linux6.1.175 – 6.1.*
Linux / Linux6.6.141 – 6.6.*
Linux / Linux6.12.91 – 6.12.*
Linux / Linux6.18.33 – 6.18.*
Linux / Linux7.0.10 – 7.0.*
Linux / Linux7.1 – *

Description

CVSS breakdown

Affected products

References