Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Use-after-free in Linux kernel Bluetooth L2CAP l2cap_unregister_user

IdentifiersCVE-2026-23461CWE-416· Use After Free

CVE-2026-23461 is a Linux kernel Bluetooth L2CAP vulnerability caused by inconsistent locking around the l2cap_conn structure. After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() began using conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() continued to use different locking semantics and did not take conn->lock. This created a race condition in which l2cap_register_user() or l2cap_unregister_user() could access conn->users and conn->hchan concurrently with l2cap_conn_del(). The resulting concurrency bug can trigger use-after-free and list corruption in the Bluetooth L2CAP subsystem. The issue was reported by syzbot. The fix changes l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), restoring consistent synchronization for l2cap_conn state.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause memory-safety violations in the kernel Bluetooth stack, specifically use-after-free and list corruption conditions. Because the flaw is in kernel-space code, impact can include kernel crash or denial of service, memory corruption, and potentially compromise of confidentiality, integrity, and availability. Available CVSS assessments indicate high impact across C, I, and A.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling Bluetooth where not required, unloading or blacklisting affected Bluetooth kernel modules if operationally feasible, and limiting adjacent-network Bluetooth reachability. Because this is a kernel race in the Bluetooth L2CAP subsystem, there is no complete mitigation short of applying the fixed kernel.

Remediation

Patch, then assume compromise.

Apply a kernel update that includes the upstream fix for CVE-2026-23461. The remediation is to use conn->lock consistently in l2cap_register_user() and l2cap_unregister_user() instead of hci_dev_lock(), matching l2cap_conn_del() locking and preventing concurrent unsafe access to conn->users and conn->hchan. On SUSE systems, install the relevant fixed kernel packages from the published advisories and reboot into the updated kernel.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

2 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-23461
NVD
nvd.nist.gov/vuln/detail/CVE-2026-23461
MITRE CWE · CWE-416
Use After Free
Patch
git.kernel.org/stable/c/11a87dd5df428a4b79a84d2790cac7f3c73f1f0d
Patch
git.kernel.org/stable/c/71030f3b3015a412133a805ff47970cdcf30c2b8
Patch
git.kernel.org/stable/c/752a6c9596dd25efd6978a73ff21f3b592668f4a
Patch
git.kernel.org/stable/c/c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf
Patch
git.kernel.org/stable/c/da3000cbe4851458a22be38bb18c0689c39fdd5f