Linux Kernel Bluetooth L2CAP Deadlock Fix
CVE-2026-31499 Published on April 22, 2026
Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()
l2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer
and id_addr_timer while holding conn->lock. However, the work functions
l2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire
conn->lock, creating a potential AB-BA deadlock if the work is already
executing when l2cap_conn_del() takes the lock.
Move the work cancellations before acquiring conn->lock and use
disable_delayed_work_sync() to additionally prevent the works from
being rearmed after cancellation, consistent with the pattern used in
hci_conn_del().
Products Associated with CVE-2026-31499
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version ab4eedb790cae44313759b50fe47da285e2519d5 and below 3f26ecbd9cde621dd94be7ef252c7210b965a5c7 is affected.
- Version ab4eedb790cae44313759b50fe47da285e2519d5 and below d008460de352e534f6721de829b093368564ec66 is affected.
- Version ab4eedb790cae44313759b50fe47da285e2519d5 and below 00fdebbbc557a2fc21321ff2eaa22fd70c078608 is affected.
- Version efc30877bd4bc85fefe98d80af60fafc86e5775e is affected.
- Version f87271d21dd4ee83857ca11b94e7b4952749bbae is affected.
- Version 18ab6b6078fa8191ca30a3065d57bf35d5635761 is affected.
- Version 6.14 is affected.
- Before 6.14 is unaffected.
- Version 6.18.21, <= 6.18.* is unaffected.
- Version 6.19.11, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.