PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53357 Linux CVE debrief

CVE-2026-53357 is a use-after-free vulnerability in the Linux kernel's Bluetooth subsystem. The vulnerability exists in the l2cap_sock_cleanup_listen() function, which is called when a listening socket is closed. A concurrent HCI disconnect can trigger the l2cap_conn_del() function, which frees the child socket and its l2cap_chan. The cleanup_listen() function then uses both, resulting in a use-after-free error.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-02
Original CVE updated
2026-07-18
Advisory published
2026-07-02
Advisory updated
2026-07-18

Who should care

Linux kernel developers and maintainers, Bluetooth protocol implementers, and organizations using Linux-based systems with Bluetooth capabilities should be aware of this vulnerability. This vulnerability can be exploited by an unprivileged attacker to cause a denial-of-service or potentially execute arbitrary code.

Technical summary

The vulnerability is caused by a race condition between the l2cap_sock_cleanup_listen() function and the l2cap_conn_del() function. The l2cap_sock_cleanup_listen() function walks the children of a listening socket on close, while the l2cap_conn_del() function frees the child socket and its l2cap_chan. This can result in a use-after-free error when the cleanup_listen() function uses the freed child socket and l2cap_chan. The fix involves taking a reference to the child socket in bt_accept_dequeue() and calling sock_put() in the callers.

Defensive priority

High

Recommended defensive actions

  • Review and apply the provided patch to the Linux kernel
  • Monitor Linux kernel updates for future fixes
  • Implement additional logging and monitoring for Bluetooth-related activity
  • Consider using SELinux or other Mandatory Access Control systems to restrict Bluetooth protocol access
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-02T15:17:03.103Z and last modified on 2026-07-18T08:16:36.343Z. The NVD entry is currently Awaiting Analysis. Multiple source references are provided, including kernel.org links to specific commits.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T15:17:03.103Z and has not been modified since then.