CVE-2026-23461: Linux Kernel Bluetooth Use-After-Free Bug

CVE-2026-23461 Overview

CVE-2026-23461 is a use-after-free vulnerability in the Linux kernel's Bluetooth Logical Link Control and Adaptation Protocol (L2CAP) subsystem. The flaw resides in the l2cap_unregister_user() function and stems from inconsistent locking in the L2CAP connection management code. After commit ab4eedb790ca introduced conn->lock to protect access to conn->users in l2cap_conn_del(), the corresponding l2cap_register_user() and l2cap_unregister_user() functions continued to use hci_dev_lock(), creating a race condition. An attacker within Bluetooth range can trigger concurrent access to conn->users and conn->hchan, leading to use-after-free conditions and list corruption.

Critical Impact

An adjacent network attacker can exploit this race condition to corrupt kernel memory, potentially achieving privilege escalation or kernel-level code execution on affected Linux systems with Bluetooth enabled.

Affected Products

• Linux Kernel (Bluetooth L2CAP subsystem)
• Distributions shipping kernels that include commit ab4eedb790ca without the corresponding fix
• Any Linux-based system with Bluetooth hardware enabled

Discovery Timeline

• 2026-04-03 - CVE-2026-23461 published to NVD
• 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2026-23461

Vulnerability Analysis

The vulnerability is a classic kernel race condition that produces a use-after-free in the Bluetooth L2CAP code path. The L2CAP layer maintains a list of registered users on each l2cap_conn structure through conn->users. The functions l2cap_register_user() and l2cap_unregister_user() add and remove entries from this list, while l2cap_conn_del() tears down the connection and frees associated resources, including conn->hchan.

The report from the syzbot fuzzer demonstrated that concurrent execution of these paths can corrupt the list and dereference freed memory. Successful exploitation can result in kernel memory corruption, denial of service through kernel panic, or escalation to arbitrary kernel code execution depending on the heap state at the time of the race [CWE-416].

Root Cause

The root cause is inconsistent locking discipline introduced by commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"). That commit moved protection of conn->users under a new conn->lock mutex in l2cap_conn_del(). However, l2cap_register_user() and l2cap_unregister_user() continued to serialize using hci_dev_lock(). Because the two locks are independent, the registration and deregistration paths can run concurrently with connection teardown. This allows iteration and modification of the user list while another CPU is freeing the underlying l2cap_conn and its hchan channel.

Attack Vector

Exploitation requires an attacker to be within Bluetooth radio range of the target, consistent with the Adjacent Network attack vector. The attacker must induce L2CAP user registration or unregistration events while the connection is being torn down. This is typically achieved by repeatedly establishing and dropping L2CAP connections to win the race against l2cap_conn_del(). No authentication or user interaction is required, which raises the practical risk for any device that accepts Bluetooth pairing or scanning traffic.

No public proof-of-concept exploit is currently available outside of the syzbot reproducer that surfaced the bug. Refer to the upstream commits in the Linux Kernel git repository for the verified source-level changes.

Detection Methods for CVE-2026-23461

Indicators of Compromise

• Kernel oops or panic messages referencing l2cap_unregister_user, l2cap_conn_del, or hci_chan_del in dmesg or /var/log/kern.log
• KASAN reports indicating use-after-free in the net/bluetooth/l2cap_core.c code path
• Unexpected Bluetooth service crashes or repeated bluetoothd restarts on affected hosts

Detection Strategies

• Inventory running kernel versions against vendor advisories to identify hosts running unpatched builds that include commit ab4eedb790ca but lack the corresponding lock fix
• Enable KASAN on test and staging kernels to surface use-after-free conditions in the Bluetooth stack during fuzzing or QA
• Correlate Bluetooth subsystem errors with audit logs that show unusual rates of L2CAP connection establishment and teardown from nearby devices

Monitoring Recommendations

• Forward kernel logs to a centralized logging platform and alert on stack traces containing l2cap_ symbols
• Monitor Bluetooth adapter state changes and bluetoothd service health across the fleet
• Track patch compliance for the affected kernel package versions on every Linux endpoint and server

How to Mitigate CVE-2026-23461

Immediate Actions Required

• Apply the upstream kernel fixes from commits 11a87dd5df42, 71030f3b3015, 752a6c9596dd, c22a5e659959, and da3000cbe485 as packaged by your Linux distribution
• Disable Bluetooth on systems that do not require it by unloading the bluetooth and btusb kernel modules and masking the bluetooth.service unit
• Restrict Bluetooth discoverability and pairing on systems where the service must remain enabled until patches are deployed

Patch Information

The vulnerability is resolved by changing l2cap_register_user() and l2cap_unregister_user() to acquire conn->lock instead of hci_dev_lock(), restoring consistent locking around the l2cap_conn structure. The fix is distributed across multiple stable branches in the upstream Linux kernel: commit 11a87dd, commit 71030f3, commit 752a6c9, commit c22a5e6, and commit da3000c. Consult your distribution vendor for the corresponding package update.

Workarounds

• Unload the Bluetooth kernel modules with modprobe -r btusb bluetooth on systems that do not need wireless connectivity
• Set the Bluetooth adapter to non-discoverable and disable automatic pairing through bluetoothctl to reduce the attack surface
• Use a kernel module blacklist to prevent Bluetooth modules from loading at boot on servers and headless systems

# Disable Bluetooth at the system level until patches are applied
sudo systemctl stop bluetooth.service
sudo systemctl mask bluetooth.service

# Prevent Bluetooth kernel modules from loading
echo 'blacklist bluetooth' | sudo tee /etc/modprobe.d/disable-bluetooth.conf
echo 'blacklist btusb'     | sudo tee -a /etc/modprobe.d/disable-bluetooth.conf

# Unload modules from the running kernel
sudo modprobe -r btusb bluetooth