CVE-2026-23461
Published: 03 April 2026
Summary
CVE-2026-23461 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23461 is a use-after-free vulnerability in the Linux kernel's Bluetooth L2CAP subsystem, specifically in the l2cap_unregister_user function. The issue stems from a race condition introduced after commit ab4eedb790ca, where l2cap_conn_del uses conn->lock to protect access to conn->users, but l2cap_register_user and l2cap_unregister_user use hci_dev_lock instead. This inconsistent locking allows concurrent access to conn->users and conn->hchan, leading to use-after-free and list corruption bugs, as reported by syzbot.
An attacker with adjacent network access, such as within Bluetooth range, can exploit this vulnerability with low complexity and no privileges or user interaction required. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, with a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), potentially enabling arbitrary code execution, data corruption, or system crashes on affected systems.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, including 11a87dd5df428a4b79a84d2790cac7f3c73f1f0d, 71030f3b3015a412133a805ff47970cdcf30c2b8, 752a6c9596dd25efd6978a73ff21f3b592668f4a, c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf, and da3000cbe4851458a22be38bb18c0689c39fdd5f. These changes enforce consistent use of conn->lock in l2cap_register_user and l2cap_unregister_user to prevent the race condition.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18722
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use…
more
conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del(). This can lead to use-after-free and list corruption bugs, as reported by syzbot. Fix this by changing l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel UAF/RCE primitive in Bluetooth L2CAP enables adjacent-network exploitation for privilege escalation (T1068) and remote service exploitation (T1210).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely patching of the Linux kernel use-after-free flaw in Bluetooth L2CAP as specified in the CVE mitigation commits.
Provides memory safeguards such as ASLR and non-executable memory to mitigate exploitation of the use-after-free vulnerability to arbitrary code execution.
Enables vulnerability scanning to identify the Bluetooth L2CAP kernel flaw, facilitating prompt remediation.