CVE-2026-23462 Overview
CVE-2026-23462 is a use-after-free vulnerability in the Linux kernel's Bluetooth Human Interface Device Protocol (HIDP) subsystem. The flaw stems from improper reference counting in the Logical Link Control and Adaptation Protocol (L2CAP) layer. Specifically, the l2cap_conn reference is not dropped when the user->remove callback executes, leading to a use-after-free condition on the connection structure. An adjacent attacker within Bluetooth range can trigger this memory corruption and potentially achieve arbitrary code execution in kernel context.
Critical Impact
Adjacent network attackers can exploit this Bluetooth HIDP use-after-free to corrupt kernel memory, potentially leading to privilege escalation, kernel code execution, or denial of service on affected Linux systems.
Affected Products
- Linux kernel (multiple stable branches with Bluetooth: HIDP subsystem)
- Distributions shipping vulnerable kernels with Bluetooth enabled
- Systems exposing the hci_vhci virtual HCI driver or physical Bluetooth adapters
Discovery Timeline
- 2026-04-03 - CVE-2026-23462 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-23462
Vulnerability Analysis
The vulnerability resides in the Bluetooth HIDP subsystem of the Linux kernel. HIDP registers a user callback structure with the L2CAP core, which holds a reference to the l2cap_conn object. When the L2CAP layer invokes the registered user->remove callback during connection teardown, HIDP fails to drop its reference on l2cap_conn. This mismatched reference counting leads to a stale pointer being accessed after the connection is freed, as shown by the kernel call trace through l2cap_conn_free, l2cap_conn_del, and l2cap_disconn_cfm.
The trace originates from hci_dev_close_sync calling hci_conn_hash_flush, which propagates disconnection events. Because the connection object can be freed while HIDP still holds a dangling reference, subsequent operations dereference released memory, producing a classic use-after-free [CWE-416].
Root Cause
The root cause is missing reference release in the HIDP user->remove callback path. The L2CAP core expects registered users to drop their l2cap_conn reference when the remove callback runs. HIDP omits this step, leaving the kernel's reference counter in an inconsistent state and allowing the connection object to be freed while still referenced.
Attack Vector
Exploitation requires Bluetooth proximity to a vulnerable host, classifying this as an adjacent network attack. An attacker who can initiate, manipulate, or disrupt Bluetooth HIDP connections can drive the host through the vulnerable teardown sequence. Local attackers with access to the hci_vhci driver, as seen in the reproduction trace, can also trigger the condition. Successful exploitation may yield kernel memory corruption suitable for privilege escalation.
No verified public exploit code is available at this time. Refer to the upstream fixes for technical details: Kernel Commit 18b1263e, Kernel Commit 21a47a11, and Kernel Commit 4d37fa75.
Detection Methods for CVE-2026-23462
Indicators of Compromise
- Kernel log entries referencing l2cap_conn_free followed by crashes or oopses in l2cap_disconn_cfm or hci_conn_hash_flush.
- Unexpected kernel panics or KASAN use-after-free reports in net/bluetooth/l2cap_core.c or net/bluetooth/hidp/.
- Repeated short-lived HIDP session creation and teardown originating from untrusted Bluetooth peers.
Detection Strategies
- Enable Kernel Address Sanitizer (KASAN) or KFENCE on test systems to surface use-after-free conditions in the Bluetooth stack.
- Audit running kernel versions against the patched commits to identify hosts missing the HIDP reference-count fix.
- Monitor for anomalous Bluetooth pairing or HIDP activity from unknown devices in environments where Bluetooth is not operationally required.
Monitoring Recommendations
- Forward kernel ring buffer and journald logs to a centralized log platform and alert on Bluetooth subsystem oops or warning traces.
- Track loaded kernel modules (hidp, bluetooth, l2cap) on endpoints where Bluetooth should be disabled per policy.
- Correlate Bluetooth-related crash signatures across fleets to identify potential exploitation attempts.
How to Mitigate CVE-2026-23462
Immediate Actions Required
- Apply the upstream Linux kernel patches that drop the l2cap_conn reference in the HIDP user->remove callback.
- Update to a distribution kernel build that incorporates the referenced stable commits.
- Disable Bluetooth on systems where it is not required, particularly servers and fixed-function appliances.
Patch Information
The fix is distributed across multiple Linux stable trees. Review and apply the relevant commit for your kernel branch: Kernel Commit 18b1263e, Kernel Commit 21a47a11, Kernel Commit 45ebe5b9, Kernel Commit 4d37fa75, Kernel Commit 7c805b7d, Kernel Commit d955ccbf, Kernel Commit dbf666e4, and Kernel Commit f8b6ed2f.
Workarounds
- Blocklist the hidp and bluetooth kernel modules on systems that do not require Bluetooth HID functionality.
- Restrict physical access and limit Bluetooth discoverability to reduce the adjacent attack surface.
- Remove or restrict access to the hci_vhci virtual HCI driver on multi-tenant or untrusted-user systems.
# Disable Bluetooth HIDP and core modules where not required
sudo systemctl stop bluetooth.service
sudo systemctl disable bluetooth.service
echo 'blacklist hidp' | sudo tee /etc/modprobe.d/blacklist-hidp.conf
echo 'blacklist bluetooth' | sudo tee /etc/modprobe.d/blacklist-bluetooth.conf
sudo modprobe -r hidp bluetooth 2>/dev/null || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
