High

Use-after-free in Linux kernel Bluetooth HIDP

IdentifiersCVE-2026-23462CWE-416· Use After Free

CVE-2026-23462 is a Linux kernel memory-safety flaw in the Bluetooth HIDP subsystem. The issue is described upstream as "Bluetooth: HIDP: Fix possible UAF" and is caused by failing to drop an l2cap_conn reference when the user->remove callback is invoked. As a result, an L2CAP connection object can be freed via the Bluetooth/L2CAP disconnect path while still being referenced, creating a use-after-free condition. The provided trace shows the fault path through l2cap_conn_free(), l2cap_conn_del(), l2cap_disconn_cfm(), hci_conn_hash_flush(), hci_dev_close_sync(), and hci_unregister_dev(), consistent with a stale reference during Bluetooth connection teardown.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to kernel memory corruption in the Bluetooth stack, including dereference of freed memory during connection teardown. In practical terms this can cause kernel crashes and denial of service, and because it is a use-after-free in kernel context, it may also enable more serious outcomes such as privilege escalation or arbitrary code execution in the kernel, depending on exploitability and target conditions.

Mitigation

If you can’t patch tonight, do this now.

Until patched kernels can be deployed, reduce exposure by disabling or unloading Bluetooth/HIDP support where not required, preventing use of vulnerable Bluetooth HIDP functionality, and restricting access to systems or environments where attackers could interact with the Bluetooth stack. General hardening measures such as minimizing local access to Bluetooth device management interfaces and disabling virtual Bluetooth testing interfaces when unnecessary may also reduce attack surface, but no complete mitigation short of patching is provided in the available content.

Remediation

Patch, then assume compromise.

Apply a Linux kernel version containing the upstream fix for CVE-2026-23462 ("Bluetooth: HIDP: Fix possible UAF"). The fix corrects reference handling by dropping the l2cap_conn reference when the user->remove callback is called. Downstream vendors including SUSE have shipped patched kernels in multiple advisories; deploy the vendor-provided updated kernel package for the affected distribution and reboot into the fixed kernel.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

bugzilla suseNews

Jun 4, 2026

1261710 - (CVE-2026-23462) VUL-0: CVE-2026-23462: kernel: Bluetooth: HIDP: Fix possible UAF

A Linux kernel use-after-free vulnerability in the Bluetooth HIDP subsystem caused by improper handling of an l2cap_conn reference during a user->remove callback.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-23462

NVD

nvd.nist.gov/vuln/detail/CVE-2026-23462

MITRE CWE · CWE-416

Use After Free

Patch

git.kernel.org/stable/c/18b1263ece6431bd78fa6b61faaef5281203741c

Patch

git.kernel.org/stable/c/21a47a119f33df9bb157326846390d7e8e1b45ba

Patch

git.kernel.org/stable/c/45ebe5b900200ac3e01f3470506a44a447825721

Patch

git.kernel.org/stable/c/4d37fa7582aa960ba23e10a7a2596a29f37ad281

Patch

git.kernel.org/stable/c/7c805b7d1e580eececcc92470292e3dbc42bc3f5

Patch

git.kernel.org/stable/c/d955ccbf91ab74d76fe9e4eab2846a7d8a173075

Patch

git.kernel.org/stable/c/dbf666e4fc9bdd975a61bf682b3f75cb0145eedd

Patch

git.kernel.org/stable/c/f8b6ed2f06d3baa44f347a0fa2af52433f386463