CVE-2026-53357 is a use-after-free flaw in the Linux kernel Bluetooth L2CAP socket handling, caused by a race between l2cap_sock_cleanup_listen() and l2cap_conn_del(). The issue arises because bt_accept_dequeue() can unlink a not-yet-accepted child socket from the parent accept queue and call release_sock() before returning it, leaving the returned socket unlocked and without a caller-held reference. During listening-socket teardown, l2cap_sock_cleanup_listen() walks these child sockets. If an HCI disconnect occurs concurrently, hci_rx_work can invoke l2cap_conn_del(), which proceeds through l2cap_chan_del() and l2cap_sock_kill() and frees the child socket and its associated l2cap_chan. l2cap_sock_cleanup_listen() may then subsequently access those freed objects, resulting in a slab use-after-free. The upstream fix takes a reference earlier in bt_accept_dequeue() via sock_hold() while the socket is still locked, requires callers to sock_put(), and adds channel pinning in cleanup_listen() using l2cap_chan_hold_unless_zero() under a brief child socket lock to serialize against teardown paths.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
9 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.
No news coverage yet. Advisories and community discussion only.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.