{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31499", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.104Z", "datePublished": "2026-04-22T13:54:20.384Z", "dateUpdated": "2026-05-14T14:30:11.358Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-14T14:30:11.358Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix deadlock in l2cap_conn_del()\n\nl2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer\nand id_addr_timer while holding conn->lock. However, the work functions\nl2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire\nconn->lock, creating a potential AB-BA deadlock if the work is already\nexecuting when l2cap_conn_del() takes the lock.\n\nMove the work cancellations before acquiring conn->lock and use\ndisable_delayed_work_sync() to additionally prevent the works from\nbeing rearmed after cancellation, consistent with the pattern used in\nhci_conn_del()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "f87271d21dd4ee83857ca11b94e7b4952749bbae", "lessThan": "f7f35a4f7fd574f5889bb2e4b397e14cbb83f6da", "status": "affected", "versionType": "git"}, {"version": "ab4eedb790cae44313759b50fe47da285e2519d5", "lessThan": "3f26ecbd9cde621dd94be7ef252c7210b965a5c7", "status": "affected", "versionType": "git"}, {"version": "ab4eedb790cae44313759b50fe47da285e2519d5", "lessThan": "d008460de352e534f6721de829b093368564ec66", "status": "affected", "versionType": "git"}, {"version": "ab4eedb790cae44313759b50fe47da285e2519d5", "lessThan": "00fdebbbc557a2fc21321ff2eaa22fd70c078608", "status": "affected", "versionType": "git"}, {"version": "efc30877bd4bc85fefe98d80af60fafc86e5775e", "status": "affected", "versionType": "git"}, {"version": "18ab6b6078fa8191ca30a3065d57bf35d5635761", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.88", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.20", "versionEndExcluding": "6.12.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.84"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f7f35a4f7fd574f5889bb2e4b397e14cbb83f6da"}, {"url": "https://git.kernel.org/stable/c/3f26ecbd9cde621dd94be7ef252c7210b965a5c7"}, {"url": "https://git.kernel.org/stable/c/d008460de352e534f6721de829b093368564ec66"}, {"url": "https://git.kernel.org/stable/c/00fdebbbc557a2fc21321ff2eaa22fd70c078608"}], "title": "Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B605565-ABCA-49F6-9B41-61FAF3C20FA1", "versionEndExcluding": "6.7", "versionStartIncluding": "6.6.84", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "893662BF-1CCE-4257-93CB-4C93976B20C6", "versionEndExcluding": "6.13", "versionStartIncluding": "6.12.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "366CEEDE-ED7E-4CD5-A00F-927D6C249DFD", "versionEndExcluding": "6.14", "versionStartIncluding": "6.13.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8BA62FCD-8829-4508-AFE2-0C12960267CD", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.14.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:*", "matchCriteriaId": "7DE421BA-0600-4401-A175-73CAB6A6FB4E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix deadlock in l2cap_conn_del()\n\nl2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer\nand id_addr_timer while holding conn->lock. However, the work functions\nl2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire\nconn->lock, creating a potential AB-BA deadlock if the work is already\nexecuting when l2cap_conn_del() takes the lock.\n\nMove the work cancellations before acquiring conn->lock and use\ndisable_delayed_work_sync() to additionally prevent the works from\nbeing rearmed after cancellation, consistent with the pattern used in\nhci_conn_del()."}], "id": "CVE-2026-31499", "lastModified": "2026-05-14T15:16:45.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T14:16:48.283", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/00fdebbbc557a2fc21321ff2eaa22fd70c078608"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3f26ecbd9cde621dd94be7ef252c7210b965a5c7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d008460de352e534f6721de829b093368564ec66"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f7f35a4f7fd574f5889bb2e4b397e14cbb83f6da"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()", "id": "2460692", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460692"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-833", "details": ["A flaw was found in the Linux kernel's Bluetooth L2CAP component. A deadlock can occur in the `l2cap_conn_del()` function when canceling delayed work, specifically `info_timer` and `id_addr_timer`. This happens because `l2cap_conn_del()` holds a lock while attempting to cancel work functions that also acquire the same lock, creating a circular waiting condition. This concurrency issue can lead to a Denial of Service (DoS), making the system unresponsive."], "name": "CVE-2026-31499", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31499\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31499\nhttps://lore.kernel.org/linux-cve-announce/2026042204-CVE-2026-31499-0142@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ab4eedb790cae44313759b50fe47da285e2519d5,3f26ecbd9cde621dd94be7ef252c7210b965a5c7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ab4eedb790cae44313759b50fe47da285e2519d5,d008460de352e534f6721de829b093368564ec66)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ab4eedb790cae44313759b50fe47da285e2519d5,00fdebbbc557a2fc21321ff2eaa22fd70c078608)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "efc30877bd4bc85fefe98d80af60fafc86e5775e"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "f87271d21dd4ee83857ca11b94e7b4952749bbae"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "18ab6b6078fa8191ca30a3065d57bf35d5635761"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T01:47:58.794008+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that contains the L2CAP deadlock fix, ensuring the kernel commits referenced in the advisory are applied.", "If a kernel update is not immediately possible, temporarily disable the Bluetooth L2CAP interface or the entire Bluetooth stack to prevent the use of the vulnerable code path.", "Reboot the system after applying the kernel update to activate the new code."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations that contain the L2CAP code before the referenced patch are affected. This includes any Linux distribution that has not yet applied the commit that moves the work cancellations outside the lock. The precise kernel versions are not listed, but the fix is present in patches traced by the Git commit links provided.", "description_and_impact": "A deadlock can occur when the Bluetooth L2CAP connection teardown routine holds a lock while cancelling delayed work that also tries to acquire the same lock. If the work is already executing, the routine may deadlock, freezing the task that performed the deletion and potentially hanging dependent processes. The flaw results in a denial of service rather than a breach of confidentiality or integrity. The attack vector is inferred to involve an attacker capable of initiating a Bluetooth L2CAP connection deletion while the timers remain active, which can be achieved either remotely as a malicious Bluetooth client or locally by a user with sufficient privileges.", "risk_and_exploitability": "The exploitability is limited to contexts where an attacker can trigger an L2CAP connection delete while the related timers are active, which could be achieved through a malicious Bluetooth client or a local user with the ability to manage Bluetooth connections. Because the description does not explicitly state the attack vector, it is inferred that an attacker must be able to trigger L2CAP connection deletion while the timers are active, either remotely as a Bluetooth client or locally as a user with privileges. The CVSS score is 5.5 and the EPSS score is < 1%; the vulnerability is not listed in the CISA KEV catalog, indicating that it might not be actively exploited in the wild. Nonetheless, the potential for a service disruption warrants prompt remediation."}}}}, "created": "2026-04-22T18:15:15.251564+00:00", "updated": "2026-04-29T02:00:27.229689+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}