CVE-2026-53071
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
In the Linux kernel, the Bluetooth L2CAP subsystem lacked channel locking in l2cap_ecred_reconf_rsp(). A remote BLE device can send a crafted ECRED reconfiguration response, corrupting the channel list while another thread iterates it.
Risk Assessment
An attacker can exploit this race condition to cause memory corruption or potential privilege escalation on the system.
Recommendation
Immediately update the Linux kernel to a version containing the fix that adds missing locks (l2cap_chan_lock/unlock) in l2cap_ecred_reconf_rsp().
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it. Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(), and l2cap_chan_unlock() and l2cap_chan_put() after, matching the pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().

