In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: l2cap: Add missing chan lock in l2capecredreconf_rsp
l2capecredreconfrsp() calls l2capchandel() without holding l2capchanlock(). Every other l2capchan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it.
Add l2capchanhold() and l2capchanlock() before l2capchandel(), and l2capchanunlock() and l2capchanput() after, matching the pattern used in l2capecredconnrsp() and l2capconn_del().
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53071.json",
"cna_assigner": "Linux"
}