Skip to main content

Linux EUVDEUVD-2026-18722

| CVE-2026-23461 HIGH
Use After Free (CWE-416)
2026-04-03 Linux GHSA-ggw5-jw3c-r95v
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.8 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
71030f3b3015a412133a805ff47970cdcf30c2b8,752a6c9596dd25efd6978a73ff21f3b592668f4a,11a87dd5df428a4b79a84d2790cac7f3c73f1f0d
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18722
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user

After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del().

This can lead to use-after-free and list corruption bugs, as reported by syzbot.

Fix this by changing l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure.

AnalysisAI

Use-after-free in Linux kernel Bluetooth L2CAP layer allows local attackers to cause denial of service or potentially execute code via a race condition in l2cap_unregister_user(). The vulnerability arises because l2cap_register_user() and l2cap_unregister_user() access conn->users without proper locking (conn->lock), while l2cap_conn_del() protects the same structure with conn->lock, creating concurrent access to freed memory. All Linux kernel versions with Bluetooth L2CAP support are affected. Patch available via Linux stable kernel commits.

Technical ContextAI

The Linux kernel Bluetooth subsystem implements L2CAP (Logical Link Control and Adaptation Protocol) for reliable packet delivery over Bluetooth connections. The vulnerability exists in the connection management layer where user registration/unregistration callbacks interact with connection deletion. Following commit ab4eedb790ca, l2cap_conn_del() began using conn->lock to serialize access to the conn->users list; however, l2cap_register_user() and l2cap_unregister_user() continued using only hci_dev_lock(), a different and less granular locking mechanism. This inconsistency creates a classic race condition: one code path (connection deletion) holds conn->lock while traversing conn->users and freeing conn->hchan, while concurrent registration/unregistration calls access the same structures without acquiring conn->lock, leading to time-of-check-time-of-use (TOCTOU) bugs. The root cause is insufficient synchronization (CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization) combined with use-after-free (CWE-416). The fix unifies the locking strategy by requiring conn->lock in both registration paths, ensuring all access to conn->users and conn->hchan is serialized.

RemediationAI

Apply the upstream kernel fix by updating to a patched Linux kernel version. The fix is available in multiple stable kernel branches via the commits listed in references; distributions will backport these changes to their supported kernel versions. To identify the correct patched version for your distribution, consult your vendor's security advisory and kernel changelog. For Ubuntu, check ubuntu.com/security; for Red Hat/Fedora, check access.redhat.com; for Debian, check debian.org/security. Interim workaround (if patched kernel is not immediately available): disable Bluetooth via BIOS/UEFI or kernel command-line parameter (e.g., modprobe -r bluetooth) on systems where Bluetooth is not required. Verify your kernel version with uname -r and cross-reference against your distribution's kernel update timeline. Reboot is required after kernel update to apply the fix.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18722 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy