CVE-2026-53071
Received Received - Intake
Bluetooth: l2cap: Missing chan lock in l2cap_ecred_reconf_rsp

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it. Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(), and l2cap_chan_unlock() and l2cap_chan_put() after, matching the pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53071
EUVD
EUVD-2026-38939
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth L2CAP implementation. Specifically, the function l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without acquiring the necessary channel lock (l2cap_chan_lock()). This is inconsistent with other callers of l2cap_chan_del() that do acquire the lock first.

Because of this missing lock, a remote Bluetooth Low Energy (BLE) device can send a specially crafted L2CAP ECRED reconfiguration response that can corrupt the channel list while another thread is iterating over it. This can lead to data corruption or unexpected behavior in the Bluetooth stack.

The fix involves adding the appropriate locking and reference counting calls (l2cap_chan_hold(), l2cap_chan_lock(), l2cap_chan_unlock(), and l2cap_chan_put()) around l2cap_chan_del() to ensure thread-safe manipulation of the channel list.

Impact Analysis

This vulnerability can allow a remote BLE device to cause corruption in the Bluetooth channel list within the Linux kernel. Such corruption may lead to instability or crashes in the Bluetooth subsystem, potentially causing denial of service or unexpected behavior in Bluetooth communications.

If your system relies on Bluetooth connectivity, especially with BLE devices, this could disrupt normal operations or open the door to further exploitation depending on how the corrupted state is handled.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53071. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart