Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-53358

Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
02/07/2026
Última modificación:
02/07/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()<br /> <br /> l2cap_chan_close() removes the channel from conn-&gt;chan_l, which<br /> must be done under conn-&gt;lock. cleanup_listen() runs under the<br /> parent sk_lock, so acquiring conn-&gt;lock would invert the<br /> established conn-&gt;lock -&gt; chan-&gt;lock -&gt; sk_lock order.<br /> <br /> Instead of calling l2cap_chan_close() directly, schedule<br /> l2cap_chan_timeout with delay 0 to close the channel<br /> asynchronously. The timeout handler already acquires conn-&gt;lock<br /> and chan-&gt;lock in the correct order.<br /> <br /> The timer is only armed when chan-&gt;conn is still set: if it is<br /> already NULL, l2cap_conn_del() has already processed this channel<br /> (l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb),<br /> so there is nothing left to do. If l2cap_conn_del() races in<br /> after the timer is armed, __clear_chan_timer() inside<br /> l2cap_chan_del() cancels it; if the timer has already fired, the<br /> handler returns harmlessly because chan-&gt;conn was cleared.

Impacto