Skip to main content

Linux Kernel EUVDEUVD-2026-38939

| CVE-2026-53071 HIGH
Missing Lock Check (CWE-414)
2026-06-24 Linux GHSA-g7cw-xhg8-933g
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.4 MEDIUM

Bluetooth proximity (AV:A) and unauthenticated link (PR:N), but winning the race window raises AC:H; primary impact is kernel panic (A:H) with limited, unproven memory disclosure/corruption (C:L/I:L).

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
4.0 AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:03 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 8.8
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp

l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it.

Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(), and l2cap_chan_unlock() and l2cap_chan_put() after, matching the pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().

AnalysisAI

Race-condition memory corruption in the Linux kernel Bluetooth L2CAP stack lets a nearby BLE device crash or potentially compromise an affected host. The l2cap_ecred_reconf_rsp() handler calls l2cap_chan_del() without first taking l2cap_chan_lock(), so a crafted L2CAP Enhanced Credit (ECRED) reconfiguration response can mutate the channel list while another kernel thread iterates it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain Bluetooth LE proximity to target
Delivery
Establish/abuse LE L2CAP ECRED channel
Exploit
Send crafted ECRED reconfiguration response
Execution
Trigger unlocked l2cap_chan_del race
Persist
Corrupt channel list during concurrent iteration
Impact
Kernel memory corruption / panic (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires Bluetooth Low Energy radio proximity to the target (AV:A) and that the target has the Bluetooth subsystem active with an established LE L2CAP connection-oriented channel in Enhanced Credit Based (ECRED) flow-control mode - the attacker must be a connected/paired BLE peer able to emit an L2CAP ECRED reconfiguration response. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should temper the headline 8.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker within Bluetooth range of a victim that has an active LE L2CAP ECRED channel sends a crafted L2CAP ECRED reconfiguration response. The malicious response drives l2cap_ecred_reconf_rsp() to delete a channel without the channel lock while another kernel thread is iterating the channel list, corrupting kernel memory and most likely panicking the host (denial of service), with a theoretical path to further memory corruption. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or later in each series), or apply your distribution's backport referencing the kernel.org stable commits (https://git.kernel.org/stable/c/96dca51715d86559ed6ed8028e5445cecb80f3ae and the other listed hashes). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory Linux systems with Bluetooth capabilities in your environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38939 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy