CVE-2026-31499
Received Received - Intake
Deadlock Vulnerability in Linux Bluetooth L2CAP Connection Handling

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() l2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer and id_addr_timer while holding conn->lock. However, the work functions l2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire conn->lock, creating a potential AB-BA deadlock if the work is already executing when l2cap_conn_del() takes the lock. Move the work cancellations before acquiring conn->lock and use disable_delayed_work_sync() to additionally prevent the works from being rearmed after cancellation, consistent with the pattern used in hci_conn_del().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31499
EUVD
EUVD-2026-24875
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.14
linux linux_kernel From 6.13.8 (inc) to 6.14 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.14.1 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.12.20 (inc) to 6.13 (exc)
linux linux_kernel From 6.6.84 (inc) to 6.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth L2CAP component. Specifically, the function l2cap_conn_del() calls cancel_delayed_work_sync() on two timers while holding a lock (conn->lock). However, the work functions that are canceled also try to acquire the same lock, which can cause a deadlock situation if the work is already running when l2cap_conn_del() tries to take the lock.

The deadlock occurs because l2cap_conn_del() holds the lock and waits for the work functions to finish, but those work functions are blocked waiting to acquire the same lock, creating a circular wait (AB-BA deadlock). The fix involves moving the cancellation of the work before acquiring the lock and using disable_delayed_work_sync() to prevent the work from restarting after cancellation.

Impact Analysis

This vulnerability can cause a deadlock in the Bluetooth L2CAP subsystem of the Linux kernel, potentially leading to system instability or unresponsiveness related to Bluetooth connections. If the deadlock occurs, Bluetooth functionality may hang or become unavailable, which could disrupt applications or services relying on Bluetooth communication.

Mitigation Strategies

The vulnerability has been resolved by modifying the Linux kernel Bluetooth L2CAP code to avoid a deadlock condition. To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix for CVE-2026-31499.

Specifically, ensure your system is running a kernel version where the l2cap_conn_del() function has been corrected to move work cancellations before acquiring the connection lock and uses disable_delayed_work_sync() to prevent rearming of works after cancellation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31499. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart