Cyber Resilience

CVE-2026-23461

High

Published: 03 April 2026

Published
03 April 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0025 15.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23461 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23461 is a use-after-free vulnerability in the Linux kernel's Bluetooth L2CAP subsystem, specifically in the l2cap_unregister_user function. The issue stems from a race condition introduced after commit ab4eedb790ca, where l2cap_conn_del uses conn->lock to protect access to conn->users, but l2cap_register_user and l2cap_unregister_user use hci_dev_lock instead. This inconsistent locking allows concurrent access to conn->users and conn->hchan, leading to use-after-free and list corruption bugs, as reported by syzbot.

An attacker with adjacent network access, such as within Bluetooth range, can exploit this vulnerability with low complexity and no privileges or user interaction required. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, with a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), potentially enabling arbitrary code execution, data corruption, or system crashes on affected systems.

Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, including 11a87dd5df428a4b79a84d2790cac7f3c73f1f0d, 71030f3b3015a412133a805ff47970cdcf30c2b8, 752a6c9596dd25efd6978a73ff21f3b592668f4a, c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf, and da3000cbe4851458a22be38bb18c0689c39fdd5f. These changes enforce consistent use of conn->lock in l2cap_register_user and l2cap_unregister_user to prevent the race condition.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use…

more

conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del(). This can lead to use-after-free and list corruption bugs, as reported by syzbot. Fix this by changing l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Kernel UAF/RCE primitive in Bluetooth L2CAP enables adjacent-network exploitation for privilege escalation (T1068) and remote service exploitation (T1210).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23193Same product: Linux Linux Kernel
CVE-2026-23226Same product: Linux Linux Kernel
CVE-2026-31408Same product: Linux Linux Kernel
CVE-2026-23428Same product: Linux Linux Kernel
CVE-2026-31533Same product: Linux Linux Kernel
CVE-2026-31444Same product: Linux Linux Kernel
CVE-2023-53021Same product: Linux Linux Kernel
CVE-2022-49694Same product: Linux Linux Kernel
CVE-2022-49377Same product: Linux Linux Kernel
CVE-2024-57801Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.14, 7.0 · 6.6.84 — 6.6.130 · 6.12.20 — 6.12.78 · 6.13.8 — 6.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely patching of the Linux kernel use-after-free flaw in Bluetooth L2CAP as specified in the CVE mitigation commits.

prevent

Provides memory safeguards such as ASLR and non-executable memory to mitigate exploitation of the use-after-free vulnerability to arbitrary code execution.

detect

Enables vulnerability scanning to identify the Bluetooth L2CAP kernel flaw, facilitating prompt remediation.

References