CVE-2026-53357

Source
https://cve.org/CVERecord?id=CVE-2026-53357
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53357.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53357
Downstream
Published
2026-07-02T13:43:17.077Z
Modified
2026-07-16T03:31:10.119811342Z
Summary
Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: fix UAF in l2capsockcleanuplisten() vs l2capconn_del()

btacceptdequeue() unlinks a not-yet-accepted child from the parent accept queue and release_sock()s it before returning, so the returned sk has no caller reference and is unlocked.

l2capsockcleanuplisten() walks these children on listening-socket close. A concurrent HCI disconnect drives hcirxwork -> l2capconndel() which runs l2capchandel() + l2capsockkill() and frees the child sk and its l2capchan; cleanup_listen() then uses both:

BUG: KASAN: slab-use-after-free in l2capsockkill l2capsockkill / l2capsockcleanup_listen / _x64sysclose Freed by: l2capconndel -> l2capsockclosecb -> l2capsockkill

This is distinct from the two fixes already in this area: commit e83f5e24da741 ("Bluetooth: serialize acceptq access") serialises the acceptq list/poll and takes temporary refs inside btacceptdequeue(), and CVE-2025-39860 serialises the userspace close()/accept() race by calling cleanuplisten() under locksock() in l2capsockrelease(). Neither covers l2capconndel() running from hcirxwork, so this UAF still reproduces on current bluetooth/master.

Take the reference at the source: btacceptdequeue() does sockhold() while sk is still locked, before releasesock(); callers sockput(). cleanuplisten() pins the chan with l2capchanholdunlesszero() under a brief child sk lock (serialising vs l2capsockteardowncb()), drops it before l2capchanlock(), and skips a duplicate l2capsockkill() on SOCKDEAD. conn->lock is not taken here: cleanuplisten() runs under the parent sk lock and that would invert conn->lock -> chan->lock -> sklock (lockdep).

KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced 12 use-after-free reports per run before this change; 0, and no lockdep report, over 1600+ raced iterations after it on bluetooth/master.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53357.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
15f02b91056253e8cdc592888f431da0731337b8
Fixed
751de6ec671fe75ad9cf65a0638d2a06b6a5984d
Fixed
407217734835d21d4e0105ebf347860dc1806f88
Fixed
7eebd4c2c86f573af87ff165d08a83432eb0b919
Fixed
5d86d2f1b4d9a508c441d3e45277ae1a73cfed57
Fixed
87c543e2f78d0871f271df92dab98901bbd5b6f5
Fixed
added1213395071470a900cc845a042fb51882a6
Fixed
a5ca86a6097a8b030ca3226cd300b17ed330f966
Fixed
ab1513597c6cf17cd1ad2a21e3b045421b48e022

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53357.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.7.0
Fixed
5.10.259
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.142
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.92
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.34
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53357.json"