In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding
l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file
acquires the lock first. A remote BLE device can send a crafted
L2CAP ECRED reconfiguration response to corrupt the channel list
while another thread is iterating it.
Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(),
and l2cap_chan_unlock() and l2cap_chan_put() after, matching the
pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().
References
Configurations
No configuration.
History
08 Jul 2026, 13:16
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-416 |
30 Jun 2026, 03:20
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
|
| CWE | CWE-414 |
28 Jun 2026, 08:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
24 Jun 2026, 17:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-24 17:17
Updated : 2026-07-15 01:16
NVD link : CVE-2026-53071
Mitre link : CVE-2026-53071
CVE.ORG link : CVE-2026-53071
JSON object : View
Products Affected
No product.
CWE
CWE-416
Use After Free
