In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
l2capchanclose() removes the channel from conn->chanl, which must be done under conn->lock. cleanuplisten() runs under the parent sklock, so acquiring conn->lock would invert the established conn->lock -> chan->lock -> sklock order.
Instead of calling l2capchanclose() directly, schedule l2capchantimeout with delay 0 to close the channel asynchronously. The timeout handler already acquires conn->lock and chan->lock in the correct order.
The timer is only armed when chan->conn is still set: if it is already NULL, l2capconndel() has already processed this channel (l2capchandel + l2capsockteardowncb + l2capsockclosecb), so there is nothing left to do. If l2capconndel() races in after the timer is armed, __clearchantimer() inside l2capchandel() cancels it; if the timer has already fired, the handler returns harmlessly because chan->conn was cleared.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53358.json",
"cna_assigner": "Linux"
}