CVE-2026-53357
Enriched by CISA
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
bt_accept_dequeue() unlinks a not-yet-accepted child from the parent
accept queue and release_sock()s it before returning, so the returned
sk has no caller reference and is unlocked.
l2cap_sock_cleanup_listen() walks these children on listening-socket
close. A concurrent HCI disconnect drives hci_rx_work ->
l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and
frees the child sk and its l2cap_chan; cleanup_listen() then uses both:
BUG: KASAN: slab-use-after-free in l2cap_sock_kill
l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close
Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill
This is distinct from the two fixes already in this area: commit
e83f5e24da741 ("Bluetooth: serialize accept_q access") serialises the
accept_q list/poll and takes temporary refs inside bt_accept_dequeue(),
and CVE-2025-39860 serialises the userspace close()/accept() race by
calling cleanup_listen() under lock_sock() in l2cap_sock_release().
Neither covers l2cap_conn_del() running from hci_rx_work, so this UAF
still reproduces on current bluetooth/master.
Take the reference at the source: bt_accept_dequeue() does sock_hold()
while sk is still locked, before release_sock(); callers sock_put().
cleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under
a brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops
it before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on
SOCK_DEAD. conn->lock is not taken here: cleanup_listen() runs under
the parent sk lock and that would invert
conn->lock -> chan->lock -> sk_lock (lockdep).
KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced
12 use-after-free reports per run before this change; 0, and no lockdep
report, over 1600+ raced iterations after it on bluetooth/master.
https://nvd.nist.gov/vuln/detail/CVE-2026-53357
Categories
No category defined
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67
AFFECTED (from MITRE)
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux |
|
| Linux | Linux |
|
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. | ||
CPE
| cpe | start | end |
|---|---|---|
| Configuration 1 | ||
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | >= 5.7 | < 5.10.259 |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | >= 5.7 | < 5.15.210 |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | >= 5.7 | < 6.1.175 |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | >= 5.7 | < 6.6.142 |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | >= 5.7 | < 6.12.92 |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | >= 5.7 | < 6.18.34 |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | >= 5.7 | < 7.0.11 |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | >= 5.7 | < 7.1 |
REMEDIATION
EXPLOITS
Exploit-db.com
| id | description | date | |
|---|---|---|---|
| No known exploits | |||
POC Github
| Url |
|---|
| No known exploits |
Other Nist (github, ...)
| Url |
|---|
| No known exploits |
CAPEC
Common Attack Pattern Enumerations and Classifications
| id | description | severity |
|---|---|---|
| No entry | ||
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
