CVE Catalog

CVE-2026-53071

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

4th percentile — higher than 4% of all known CVEs

Summary

In the Linux kernel, the Bluetooth L2CAP subsystem lacked channel locking in l2cap_ecred_reconf_rsp(). A remote BLE device can send a crafted ECRED reconfiguration response, corrupting the channel list while another thread iterates it.

Risk Assessment

An attacker can exploit this race condition to cause memory corruption or potential privilege escalation on the system.

Recommendation

Immediately update the Linux kernel to a version containing the fix that adds missing locks (l2cap_chan_lock/unlock) in l2cap_ecred_reconf_rsp().

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it. Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(), and l2cap_chan_unlock() and l2cap_chan_put() after, matching the pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().

Vulnerability data from NVD (NIST) · CISA KEV · EPSS