CVE-2026-53357

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() bt_accept_dequeue() unlinks a not-yet-accepted child from the parent accept queue and release_sock()s it before returning, so the returned sk has no caller reference and is unlocked. l2cap_sock_cleanup_listen() walks these children on listening-socket close. A concurrent HCI disconnect drives hci_rx_work -> l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and frees the child sk and its l2cap_chan; cleanup_listen() then uses both: BUG: KASAN: slab-use-after-free in l2cap_sock_kill l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill This is distinct from the two fixes already in this area: commit e83f5e24da741 ("Bluetooth: serialize accept_q access") serialises the accept_q list/poll and takes temporary refs inside bt_accept_dequeue(), and CVE-2025-39860 serialises the userspace close()/accept() race by calling cleanup_listen() under lock_sock() in l2cap_sock_release(). Neither covers l2cap_conn_del() running from hci_rx_work, so this UAF still reproduces on current bluetooth/master. Take the reference at the source: bt_accept_dequeue() does sock_hold() while sk is still locked, before release_sock(); callers sock_put(). cleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under a brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops it before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on SOCK_DEAD. conn->lock is not taken here: cleanup_listen() runs under the parent sk lock and that would invert conn->lock -> chan->lock -> sk_lock (lockdep). KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced 12 use-after-free reports per run before this change; 0, and no lockdep report, over 1600+ raced iterations after it on bluetooth/master.

Package Linux Kernel
Published 2026-07-02
Last modified 2026-07-02
Patch available
Yes

Affected versions

Linux kernel versions 5.7 and later are affected. Fixed in 5.10.259, 5.15.210, 6.1.175, 6.6.142, 6.12.92, 6.18.34, 7.0.11, 7.1 and their respective stable series.

Affected from
≥ 5.7
Fixed in
✓ 5.10.259 5.10.x ✓ 5.15.210 5.15.x ✓ 6.1.175 6.1.x ✓ 6.6.142 6.6.x ✓ 6.12.92 6.12.x ✓ 6.18.34 6.18.x ✓ 7.0.11 7.0.x ✓ 7.1

Frequently asked questions

  • What is CVE-2026-53357?

    CVE-2026-53357 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.7 onward and has been patched in 5.10.259, 5.15.210, 6.1.175 and others. CVE-2026-53357 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

  • Is there a patch available for CVE-2026-53357?

    Yes — CVE-2026-53357 has been patched. Fixed versions include 5.10.259, 5.15.210, 6.1.175 and others. If you are running Linux kernel 5.7 or later up to the fix versions, apply the relevant patch for your kernel branch.

  • Is CVE-2026-53357 actively exploited?

    No — CVE-2026-53357 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.