{"api_version":"1","generated_at":"2026-04-19T01:14:02+00:00","cve":"CVE-2026-23462","urls":{"html":"https://cve.report/CVE-2026-23462","api":"https://cve.report/api/cve/CVE-2026-23462.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23462","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23462"},"summary":{"title":"Bluetooth: HIDP: Fix possible UAF","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HIDP: Fix possible UAF\n\nThis fixes the following trace caused by not dropping l2cap_conn\nreference when user->remove callback is called:\n\n[   97.809249] l2cap_conn_free: freeing conn ffff88810a171c00\n[   97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)\n[   97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n[   97.809947] Call Trace:\n[   97.809954]  <TASK>\n[   97.809961]  dump_stack_lvl (lib/dump_stack.c:122)\n[   97.809990]  l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)\n[   97.810017]  l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)\n[   97.810055]  l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))\n[   97.810086]  ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)\n[   97.810117]  hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))\n[   97.810148]  hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)\n[   97.810180]  ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)\n[   97.810212]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810242]  ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))\n[   97.810267]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810290]  ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)\n[   97.810320]  hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)\n[   97.810346]  vhci_release (drivers/bluetooth/hci_vhci.c:691)\n[   97.810375]  ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)\n[   97.810404]  __fput (fs/file_table.c:470)\n[   97.810430]  task_work_run (kernel/task_work.c:235)\n[   97.810451]  ? __pfx_task_work_run (kernel/task_work.c:201)\n[   97.810472]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810495]  ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))\n[   97.810527]  do_exit (kernel/exit.c:972)\n[   97.810547]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810574]  ? __pfx_do_exit (kernel/exit.c:897)\n[   97.810594]  ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))\n[   97.810616]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810639]  ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))\n[   97.810664]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810688]  ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))\n[   97.810721]  do_group_exit (kernel/exit.c:1093)\n[   97.810745]  get_signal (kernel/signal.c:3007 (discriminator 1))\n[   97.810772]  ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)\n[   97.810803]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810826]  ? vfs_read (fs/read_write.c:555)\n[   97.810854]  ? __pfx_get_signal (kernel/signal.c:2800)\n[   97.810880]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810905]  ? __pfx_vfs_read (fs/read_write.c:555)\n[   97.810932]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810960]  arch_do_signal_or_restart (arch/\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-03 16:16:33","updated_at":"2026-04-18 09:16:28"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/dbf666e4fc9bdd975a61bf682b3f75cb0145eedd","name":"https://git.kernel.org/stable/c/dbf666e4fc9bdd975a61bf682b3f75cb0145eedd","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/4d37fa7582aa960ba23e10a7a2596a29f37ad281","name":"https://git.kernel.org/stable/c/4d37fa7582aa960ba23e10a7a2596a29f37ad281","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d955ccbf91ab74d76fe9e4eab2846a7d8a173075","name":"https://git.kernel.org/stable/c/d955ccbf91ab74d76fe9e4eab2846a7d8a173075","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/18b1263ece6431bd78fa6b61faaef5281203741c","name":"https://git.kernel.org/stable/c/18b1263ece6431bd78fa6b61faaef5281203741c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f8b6ed2f06d3baa44f347a0fa2af52433f386463","name":"https://git.kernel.org/stable/c/f8b6ed2f06d3baa44f347a0fa2af52433f386463","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/21a47a119f33df9bb157326846390d7e8e1b45ba","name":"https://git.kernel.org/stable/c/21a47a119f33df9bb157326846390d7e8e1b45ba","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7c805b7d1e580eececcc92470292e3dbc42bc3f5","name":"https://git.kernel.org/stable/c/7c805b7d1e580eececcc92470292e3dbc42bc3f5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/45ebe5b900200ac3e01f3470506a44a447825721","name":"https://git.kernel.org/stable/c/45ebe5b900200ac3e01f3470506a44a447825721","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23462","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23462","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 d955ccbf91ab74d76fe9e4eab2846a7d8a173075 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 18b1263ece6431bd78fa6b61faaef5281203741c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 21a47a119f33df9bb157326846390d7e8e1b45ba git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 45ebe5b900200ac3e01f3470506a44a447825721 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 7c805b7d1e580eececcc92470292e3dbc42bc3f5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 f8b6ed2f06d3baa44f347a0fa2af52433f386463 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 4d37fa7582aa960ba23e10a7a2596a29f37ad281 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 dbf666e4fc9bdd975a61bf682b3f75cb0145eedd git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.10","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.10 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.253 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.167 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.130 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.78 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.20 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.10 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"23462","cve":"CVE-2026-23462","epss":"0.000320000","percentile":"0.090980000","score_date":"2026-04-18","updated_at":"2026-04-19 00:10:43"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/bluetooth/hidp/core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"d955ccbf91ab74d76fe9e4eab2846a7d8a173075","status":"affected","version":"b4f34d8d9d26b2428fa7cf7c8f97690a297978e6","versionType":"git"},{"lessThan":"18b1263ece6431bd78fa6b61faaef5281203741c","status":"affected","version":"b4f34d8d9d26b2428fa7cf7c8f97690a297978e6","versionType":"git"},{"lessThan":"21a47a119f33df9bb157326846390d7e8e1b45ba","status":"affected","version":"b4f34d8d9d26b2428fa7cf7c8f97690a297978e6","versionType":"git"},{"lessThan":"45ebe5b900200ac3e01f3470506a44a447825721","status":"affected","version":"b4f34d8d9d26b2428fa7cf7c8f97690a297978e6","versionType":"git"},{"lessThan":"7c805b7d1e580eececcc92470292e3dbc42bc3f5","status":"affected","version":"b4f34d8d9d26b2428fa7cf7c8f97690a297978e6","versionType":"git"},{"lessThan":"f8b6ed2f06d3baa44f347a0fa2af52433f386463","status":"affected","version":"b4f34d8d9d26b2428fa7cf7c8f97690a297978e6","versionType":"git"},{"lessThan":"4d37fa7582aa960ba23e10a7a2596a29f37ad281","status":"affected","version":"b4f34d8d9d26b2428fa7cf7c8f97690a297978e6","versionType":"git"},{"lessThan":"dbf666e4fc9bdd975a61bf682b3f75cb0145eedd","status":"affected","version":"b4f34d8d9d26b2428fa7cf7c8f97690a297978e6","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/bluetooth/hidp/core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.10"},{"lessThan":"3.10","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.253","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.167","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.130","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.78","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.20","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.253","versionStartIncluding":"3.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"3.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.167","versionStartIncluding":"3.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.130","versionStartIncluding":"3.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.78","versionStartIncluding":"3.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.20","versionStartIncluding":"3.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.10","versionStartIncluding":"3.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"3.10","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HIDP: Fix possible UAF\n\nThis fixes the following trace caused by not dropping l2cap_conn\nreference when user->remove callback is called:\n\n[   97.809249] l2cap_conn_free: freeing conn ffff88810a171c00\n[   97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)\n[   97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n[   97.809947] Call Trace:\n[   97.809954]  <TASK>\n[   97.809961]  dump_stack_lvl (lib/dump_stack.c:122)\n[   97.809990]  l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)\n[   97.810017]  l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)\n[   97.810055]  l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))\n[   97.810086]  ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)\n[   97.810117]  hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))\n[   97.810148]  hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)\n[   97.810180]  ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)\n[   97.810212]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810242]  ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))\n[   97.810267]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810290]  ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)\n[   97.810320]  hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)\n[   97.810346]  vhci_release (drivers/bluetooth/hci_vhci.c:691)\n[   97.810375]  ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)\n[   97.810404]  __fput (fs/file_table.c:470)\n[   97.810430]  task_work_run (kernel/task_work.c:235)\n[   97.810451]  ? __pfx_task_work_run (kernel/task_work.c:201)\n[   97.810472]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810495]  ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))\n[   97.810527]  do_exit (kernel/exit.c:972)\n[   97.810547]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810574]  ? __pfx_do_exit (kernel/exit.c:897)\n[   97.810594]  ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))\n[   97.810616]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810639]  ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))\n[   97.810664]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810688]  ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))\n[   97.810721]  do_group_exit (kernel/exit.c:1093)\n[   97.810745]  get_signal (kernel/signal.c:3007 (discriminator 1))\n[   97.810772]  ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)\n[   97.810803]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810826]  ? vfs_read (fs/read_write.c:555)\n[   97.810854]  ? __pfx_get_signal (kernel/signal.c:2800)\n[   97.810880]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810905]  ? __pfx_vfs_read (fs/read_write.c:555)\n[   97.810932]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810960]  arch_do_signal_or_restart (arch/\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-04-18T08:59:10.900Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/d955ccbf91ab74d76fe9e4eab2846a7d8a173075"},{"url":"https://git.kernel.org/stable/c/18b1263ece6431bd78fa6b61faaef5281203741c"},{"url":"https://git.kernel.org/stable/c/21a47a119f33df9bb157326846390d7e8e1b45ba"},{"url":"https://git.kernel.org/stable/c/45ebe5b900200ac3e01f3470506a44a447825721"},{"url":"https://git.kernel.org/stable/c/7c805b7d1e580eececcc92470292e3dbc42bc3f5"},{"url":"https://git.kernel.org/stable/c/f8b6ed2f06d3baa44f347a0fa2af52433f386463"},{"url":"https://git.kernel.org/stable/c/4d37fa7582aa960ba23e10a7a2596a29f37ad281"},{"url":"https://git.kernel.org/stable/c/dbf666e4fc9bdd975a61bf682b3f75cb0145eedd"}],"title":"Bluetooth: HIDP: Fix possible UAF","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23462","datePublished":"2026-04-03T15:15:41.718Z","dateReserved":"2026-01-13T15:37:46.021Z","dateUpdated":"2026-04-18T08:59:10.900Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-03 16:16:33","lastModifiedDate":"2026-04-18 09:16:28","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23462","Ordinal":"1","Title":"Bluetooth: HIDP: Fix possible UAF","CVE":"CVE-2026-23462","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23462","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HIDP: Fix possible UAF\n\nThis fixes the following trace caused by not dropping l2cap_conn\nreference when user->remove callback is called:\n\n[   97.809249] l2cap_conn_free: freeing conn ffff88810a171c00\n[   97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)\n[   97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n[   97.809947] Call Trace:\n[   97.809954]  <TASK>\n[   97.809961]  dump_stack_lvl (lib/dump_stack.c:122)\n[   97.809990]  l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)\n[   97.810017]  l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)\n[   97.810055]  l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))\n[   97.810086]  ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)\n[   97.810117]  hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))\n[   97.810148]  hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)\n[   97.810180]  ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)\n[   97.810212]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810242]  ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))\n[   97.810267]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810290]  ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)\n[   97.810320]  hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)\n[   97.810346]  vhci_release (drivers/bluetooth/hci_vhci.c:691)\n[   97.810375]  ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)\n[   97.810404]  __fput (fs/file_table.c:470)\n[   97.810430]  task_work_run (kernel/task_work.c:235)\n[   97.810451]  ? __pfx_task_work_run (kernel/task_work.c:201)\n[   97.810472]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810495]  ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))\n[   97.810527]  do_exit (kernel/exit.c:972)\n[   97.810547]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810574]  ? __pfx_do_exit (kernel/exit.c:897)\n[   97.810594]  ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))\n[   97.810616]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810639]  ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))\n[   97.810664]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810688]  ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))\n[   97.810721]  do_group_exit (kernel/exit.c:1093)\n[   97.810745]  get_signal (kernel/signal.c:3007 (discriminator 1))\n[   97.810772]  ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)\n[   97.810803]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810826]  ? vfs_read (fs/read_write.c:555)\n[   97.810854]  ? __pfx_get_signal (kernel/signal.c:2800)\n[   97.810880]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810905]  ? __pfx_vfs_read (fs/read_write.c:555)\n[   97.810932]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[   97.810960]  arch_do_signal_or_restart (arch/\n---truncated---","Type":"Description","Title":"Bluetooth: HIDP: Fix possible UAF"}]}}}