Linux kernel Bluetooth L2CAP: Missing lock in l2cap_ecred_reconf_rsp()
CVE-2026-53071 Published on June 24, 2026

Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it. Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(), and l2cap_chan_unlock() and l2cap_chan_put() after, matching the pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().

NVD

Vulnerability Analysis

CVE-2026-53071 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
LOCAL
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Missing Lock Check

A product does not check to see if a lock is present before performing sensitive operations on a resource.


Products Associated with CVE-2026-53071

stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Red Hat Enterprise Linux (RHEL). Just hit a watch button to start following.

 
 

Affected Versions

Linux: Linux: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Enterprise Linux 6: Red Hat Enterprise Linux 7: