Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Bluetooth proximity (AV:A) and unauthenticated link (PR:N), but winning the race window raises AC:H; primary impact is kernel panic (A:H) with limited, unproven memory disclosure/corruption (C:L/I:L).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it.
Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(), and l2cap_chan_unlock() and l2cap_chan_put() after, matching the pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().
AnalysisAI
Race-condition memory corruption in the Linux kernel Bluetooth L2CAP stack lets a nearby BLE device crash or potentially compromise an affected host. The l2cap_ecred_reconf_rsp() handler calls l2cap_chan_del() without first taking l2cap_chan_lock(), so a crafted L2CAP Enhanced Credit (ECRED) reconfiguration response can mutate the channel list while another kernel thread iterates it. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires Bluetooth Low Energy radio proximity to the target (AV:A) and that the target has the Bluetooth subsystem active with an established LE L2CAP connection-oriented channel in Enhanced Credit Based (ECRED) flow-control mode - the attacker must be a connected/paired BLE peer able to emit an L2CAP ECRED reconfiguration response. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should temper the headline 8.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker within Bluetooth range of a victim that has an active LE L2CAP ECRED channel sends a crafted L2CAP ECRED reconfiguration response. The malicious response drives l2cap_ecred_reconf_rsp() to delete a channel without the channel lock while another kernel thread is iterating the channel list, corrupting kernel memory and most likely panicking the host (denial of service), with a theoretical path to further memory corruption. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or later in each series), or apply your distribution's backport referencing the kernel.org stable commits (https://git.kernel.org/stable/c/96dca51715d86559ed6ed8028e5445cecb80f3ae and the other listed hashes). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory Linux systems with Bluetooth capabilities in your environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-414 – Missing Lock Check
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38939
GHSA-g7cw-xhg8-933g