Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()

Summary

CVECVE-2026-53357
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-07-02 15:17:03 UTC
Updated2026-07-02 15:17:03 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() bt_accept_dequeue() unlinks a not-yet-accepted child from the parent accept queue and release_sock()s it before returning, so the returned sk has no caller reference and is unlocked. l2cap_sock_cleanup_listen() walks these children on listening-socket close. A concurrent HCI disconnect drives hci_rx_work -> l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and frees the child sk and its l2cap_chan; cleanup_listen() then uses both: BUG: KASAN: slab-use-after-free in l2cap_sock_kill l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill This is distinct from the two fixes already in this area: commit e83f5e24da741 ("Bluetooth: serialize accept_q access") serialises the accept_q list/poll and takes temporary refs inside bt_accept_dequeue(), and CVE-2025-39860 serialises the userspace close()/accept() race by calling cleanup_listen() under lock_sock() in l2cap_sock_release(). Neither covers l2cap_conn_del() running from hci_rx_work, so this UAF still reproduces on current bluetooth/master. Take the reference at the source: bt_accept_dequeue() does sock_hold() while sk is still locked, before release_sock(); callers sock_put(). cleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under a brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops it before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on SOCK_DEAD. conn->lock is not taken here: cleanup_listen() runs under the parent sk lock and that would invert conn->lock -> chan->lock -> sk_lock (lockdep). KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced 12 use-after-free reports per run before this change; 0, and no lockdep report, over 1600+ raced iterations after it on bluetooth/master.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 751de6ec671fe75ad9cf65a0638d2a06b6a5984d git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 407217734835d21d4e0105ebf347860dc1806f88 git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 7eebd4c2c86f573af87ff165d08a83432eb0b919 git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 5d86d2f1b4d9a508c441d3e45277ae1a73cfed57 git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 87c543e2f78d0871f271df92dab98901bbd5b6f5 git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 added1213395071470a900cc845a042fb51882a6 git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 a5ca86a6097a8b030ca3226cd300b17ed330f966 git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 ab1513597c6cf17cd1ad2a21e3b045421b48e022 git Not specified
CNA Linux Linux affected 5.7 Not specified
CNA Linux Linux unaffected 5.7 semver Not specified
CNA Linux Linux unaffected 5.10.259 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.210 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.175 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.142 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.92 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.34 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.11 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/a5ca86a6097a8b030ca3226cd300b17ed330f966 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/5d86d2f1b4d9a508c441d3e45277ae1a73cfed57 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/407217734835d21d4e0105ebf347860dc1806f88 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/751de6ec671fe75ad9cf65a0638d2a06b6a5984d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/87c543e2f78d0871f271df92dab98901bbd5b6f5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/added1213395071470a900cc845a042fb51882a6 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/7eebd4c2c86f573af87ff165d08a83432eb0b919 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/ab1513597c6cf17cd1ad2a21e3b045421b48e022 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report