CVE-2026-53358

Source
https://cve.org/CVERecord?id=CVE-2026-53358
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53358.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53358
Downstream
Published
2026-07-02T13:43:17.630Z
Modified
2026-07-08T08:09:46.840660969Z
Summary
Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()

l2capchanclose() removes the channel from conn->chanl, which must be done under conn->lock. cleanuplisten() runs under the parent sklock, so acquiring conn->lock would invert the established conn->lock -> chan->lock -> sklock order.

Instead of calling l2capchanclose() directly, schedule l2capchantimeout with delay 0 to close the channel asynchronously. The timeout handler already acquires conn->lock and chan->lock in the correct order.

The timer is only armed when chan->conn is still set: if it is already NULL, l2capconndel() has already processed this channel (l2capchandel + l2capsockteardowncb + l2capsockclosecb), so there is nothing left to do. If l2capconndel() races in after the timer is armed, __clearchantimer() inside l2capchandel() cancels it; if the timer has already fired, the handler returns harmlessly because chan->conn was cleared.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53358.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3df91ea20e744344100b10ae69a17211fcf5b207
Fixed
3634cbdc2eb414b69ffa752ddbe5e0458518e321
Fixed
e1c100e2d61bd8c718b7d91fe3e050780a9bf72d
Fixed
deb8493a8fa599f6c95e2465b12bfdfb7f94a1d9
Fixed
89dec92041717b027216e110599e4f6d6c921b79
Fixed
50dfec218808b148ab4247b1858031b7a32015c5
Fixed
859d3ace791ed878ae9ba5522c7844d960da8f88
Fixed
7555fd885a0603f50e49a655850a1f2bd8a25398
Fixed
8c8e620467a7b51562dbcefbd1f09f288d7d710d

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53358.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.4.0
Fixed
5.10.259
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.93
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.35
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.12

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53358.json"