Skip to main content

Linux Kernel EUVDEUVD-2026-24875

| CVE-2026-31499 MEDIUM
Improper Locking (CWE-667)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-hr22-g233-2gjg
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 14:07 vuln.today
CVSS changed
Apr 28, 2026 - 14:07 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 14:01 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24875
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()

l2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer and id_addr_timer while holding conn->lock. However, the work functions l2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire conn->lock, creating a potential AB-BA deadlock if the work is already executing when l2cap_conn_del() takes the lock.

Move the work cancellations before acquiring conn->lock and use disable_delayed_work_sync() to additionally prevent the works from being rearmed after cancellation, consistent with the pattern used in hci_conn_del().

AnalysisAI

A deadlock condition in Linux kernel Bluetooth L2CAP connection deletion allows local authenticated users to trigger a denial of service by causing the l2cap_conn_del() function to deadlock when canceling delayed work timers while holding the connection lock. The vulnerability affects multiple Linux kernel versions across the 6.x and 7.0 release branches and has been resolved through upstream patch commits that reorganize lock acquisition and work cancellation order.

Technical ContextAI

The vulnerability exists in the Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) subsystem, specifically in the connection deletion routine (l2cap_conn_del()). The issue is a classic AB-BA deadlock caused by lock ordering violation: l2cap_conn_del() acquires conn->lock before calling cancel_delayed_work_sync() on info_timer and id_addr_timer, but the corresponding work functions (l2cap_info_timeout() and l2cap_conn_update_id_addr()) also attempt to acquire the same conn->lock. If either work function is executing when l2cap_conn_del() takes the lock, the system deadlocks. The fix involves moving work cancellations outside the critical section and using disable_delayed_work_sync() instead of cancel_delayed_work_sync() to prevent work rearming, aligning with the pattern used in hci_conn_del().

RemediationAI

Vendor-released patches are available through stable kernel releases. For Linux 6.x users, upgrade to version 6.18.21 or later, or 6.19.11 if on the 6.19 branch. For Linux 7.0 users, upgrade to the final 7.0 release or later. The upstream fix commits (00fdebbbc557a2fc21321ff2eaa22fd70c078608, 3f26ecbd9cde621dd94be7ef252c7210b965a5c7, d008460de352e534f6721de829b093368564ec66) are available in git.kernel.org and can be applied directly to custom kernel builds. The fix reorganizes code to cancel delayed work before acquiring the connection lock and uses disable_delayed_work_sync() instead of cancel_delayed_work_sync(). For systems unable to patch immediately, the vulnerability's local-only attack vector and authentication requirement provide natural containment; restrict direct physical access and local user accounts to trusted personnel. Monitor system logs for deadlock-related traces (hung task warnings) involving Bluetooth L2CAP connections.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24875 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy