CVE-2026-53071

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: l2cap: Add missing chan lock in l2cap ecred reconf rsp

l2cap ecred reconf rsp() calls l2cap chan del() without holding l2cap chan lock(). Every other l2cap chan del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it.

Add l2cap chan hold() and l2cap chan lock() before l2cap chan del(), and l2cap chan unlock() and l2cap chan put() after, matching the pattern used in l2cap ecred conn rsp() and l2cap conn del().