CVE-2026-31499
Deadlock Vulnerability in Linux Bluetooth L2CAP Connection Handling
Publication date: 2026-04-22
Last updated on: 2026-04-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.14 |
| linux | linux_kernel | From 6.13.8 (inc) to 6.14 (exc) |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.11 (exc) |
| linux | linux_kernel | From 6.14.1 (inc) to 6.18.21 (exc) |
| linux | linux_kernel | From 6.12.20 (inc) to 6.13 (exc) |
| linux | linux_kernel | From 6.6.84 (inc) to 6.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-667 | The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's Bluetooth L2CAP component. Specifically, the function l2cap_conn_del() calls cancel_delayed_work_sync() on two timers while holding a lock (conn->lock). However, the work functions that are canceled also try to acquire the same lock, which can cause a deadlock situation if the work is already running when l2cap_conn_del() tries to take the lock.
The deadlock occurs because l2cap_conn_del() holds the lock and waits for the work functions to finish, but those work functions are blocked waiting to acquire the same lock, creating a circular wait (AB-BA deadlock). The fix involves moving the cancellation of the work before acquiring the lock and using disable_delayed_work_sync() to prevent the work from restarting after cancellation.
How can this vulnerability impact me? :
This vulnerability can cause a deadlock in the Bluetooth L2CAP subsystem of the Linux kernel, potentially leading to system instability or unresponsiveness related to Bluetooth connections. If the deadlock occurs, Bluetooth functionality may hang or become unavailable, which could disrupt applications or services relying on Bluetooth communication.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been resolved by modifying the Linux kernel Bluetooth L2CAP code to avoid a deadlock condition. To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix for CVE-2026-31499.
Specifically, ensure your system is running a kernel version where the l2cap_conn_del() function has been corrected to move work cancellations before acquiring the connection lock and uses disable_delayed_work_sync() to prevent rearming of works after cancellation.