PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23461 Linux CVE debrief

CVE-2026-23461 is a Linux kernel Bluetooth L2CAP concurrency flaw that can trigger use-after-free and list corruption in conn->users / hchan handling. NVD rates the issue HIGH (CVSS 8.8) with adjacent-network attack conditions, and the record ties it to CWE-416. The published fix moves l2cap_register_user() and l2cap_unregister_user() to conn->lock for consistent synchronization with l2cap_conn_del().

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-20
Advisory published
2026-04-03
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, embedded-device vendors, and operators of systems that expose Bluetooth functionality in affected kernel branches should prioritize this issue. It is especially relevant where kernel updates are delayed or backports are incomplete.

Technical summary

The vulnerability arises because l2cap_conn_del() was updated to protect access to conn->users with conn->lock, but l2cap_register_user() and l2cap_unregister_user() continued to use hci_dev_lock(). That mismatch creates a race on the l2cap_conn structure: concurrent manipulation of conn->users and conn->hchan can produce a use-after-free and list corruption. The NVD record lists CWE-416 and includes multiple kernel patch references as remediation.

Defensive priority

High. Although the CVSS vector reflects adjacent attack conditions rather than unauthenticated network reachability, the impact is severe (confidentiality, integrity, and availability all rated High) and the affected component is the Linux kernel Bluetooth stack. Patch and validate backports promptly on any system running impacted kernel versions.

Recommended defensive actions

  • Apply the upstream or vendor kernel fixes referenced by NVD and confirm the locking change is present in your build.
  • Inventory deployed Linux kernel versions against the NVD affected ranges: 6.6.84-6.6.130, 6.12.20-6.12.78, 6.13.8-6.14, 6.14.1-6.18.20, and 6.19-6.19.10, plus the listed release-candidate builds.
  • Verify that your distribution has backported the Bluetooth L2CAP locking fix, not just the version number.
  • Prioritize testing on systems that rely on Bluetooth connectivity or run kernel builds with custom Bluetooth changes.
  • Monitor for kernel crashes, memory corruption, or Bluetooth subsystem instability until remediation is confirmed.

Evidence notes

Source evidence is limited to the official NVD CVE record and the linked kernel patch references. The CVE was published on 2026-04-03T16:16:33.140Z and last modified on 2026-05-20T15:30:09.390Z. NVD marks the vulnerability as analyzed, assigns CVSS 3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and identifies CWE-416. The description states that l2cap_register_user() and l2cap_unregister_user() did not use conn->lock, creating a race with l2cap_conn_del().

Official resources

Public CVE record published by NVD on 2026-04-03. This debrief uses only the supplied official CVE/NVD data and the linked kernel patch references.