Home

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called: [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 [ 97.809947] Call Trace: [ 97.809954] <TASK> [ 97.809961] dump_stack_lvl (lib/dump_stack.c:122) [ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) [ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798) [ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1)) [ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341) [ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2)) [ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360) [ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285) [ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5)) [ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) [ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716) [ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691) [ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678) [ 97.810404] __fput (fs/file_table.c:470) [ 97.810430] task_work_run (kernel/task_work.c:235) [ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201) [ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5)) [ 97.810527] do_exit (kernel/exit.c:972) [ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810574] ? __pfx_do_exit (kernel/exit.c:897) [ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) [ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) [ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) [ 97.810721] do_group_exit (kernel/exit.c:1093) [ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1)) [ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366) [ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810826] ? vfs_read (fs/read_write.c:555) [ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800) [ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555) [ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810960] arch_do_signal_or_restart (arch/ ---truncated---

PUBLISHED Reserved 2026-01-13 | Published 2026-04-03 | Updated 2026-05-11 | Assigner Linux




HIGH: 8.8CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Product status

Default status
unaffected

b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 (git) before d955ccbf91ab74d76fe9e4eab2846a7d8a173075
affected

b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 (git) before 18b1263ece6431bd78fa6b61faaef5281203741c
affected

b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 (git) before 21a47a119f33df9bb157326846390d7e8e1b45ba
affected

b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 (git) before 45ebe5b900200ac3e01f3470506a44a447825721
affected

b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 (git) before 7c805b7d1e580eececcc92470292e3dbc42bc3f5
affected

b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 (git) before f8b6ed2f06d3baa44f347a0fa2af52433f386463
affected

b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 (git) before 4d37fa7582aa960ba23e10a7a2596a29f37ad281
affected

b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 (git) before dbf666e4fc9bdd975a61bf682b3f75cb0145eedd
affected

Default status
affected

3.10
affected

Any version before 3.10
unaffected

5.10.253 (semver)
unaffected

5.15.203 (semver)
unaffected

6.1.167 (semver)
unaffected

6.6.130 (semver)
unaffected

6.12.78 (semver)
unaffected

6.18.20 (semver)
unaffected

6.19.10 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/d955ccbf91ab74d76fe9e4eab2846a7d8a173075

git.kernel.org/...c/18b1263ece6431bd78fa6b61faaef5281203741c

git.kernel.org/...c/21a47a119f33df9bb157326846390d7e8e1b45ba

git.kernel.org/...c/45ebe5b900200ac3e01f3470506a44a447825721

git.kernel.org/...c/7c805b7d1e580eececcc92470292e3dbc42bc3f5

git.kernel.org/...c/f8b6ed2f06d3baa44f347a0fa2af52433f386463

git.kernel.org/...c/4d37fa7582aa960ba23e10a7a2596a29f37ad281

git.kernel.org/...c/dbf666e4fc9bdd975a61bf682b3f75cb0145eedd

cve.org (CVE-2026-23462)

nvd.nist.gov (CVE-2026-23462)

Download JSON