Skip to main content

Linux CVE-2026-23299

| EUVDEUVD-2026-15234 MEDIUM
Missing Release of Resource after Effective Lifetime (CWE-772)
2026-03-25 Linux GHSA-2286-mwvj-8983
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
4.3 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
3.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 29, 2026 - 14:37 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15234
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:26 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: purge error queues in socket destructors

When TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued into sk_error_queue and will stay there until consumed. If userspace never gets to read the timestamps, or if the controller is removed unexpectedly, these SKBs will leak.

Fix by adding skb_queue_purge() calls for sk_error_queue in affected bluetooth destructors. RFCOMM does not currently use sk_error_queue.

AnalysisAI

This vulnerability is a memory leak in the Linux kernel's Bluetooth subsystem where Socket Buffers (SKBs) queued into the sk_error_queue for TX timestamping are not properly purged during socket destruction, allowing sensitive timestamp data to persist in kernel memory. The vulnerability affects all Linux kernel versions that support Bluetooth with SO_TIMESTAMPING enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). An attacker with local access could potentially read leaked kernel memory contents including timestamp information that should have been cleaned up, or trigger the leak by unexpectedly removing the Bluetooth controller while timestamped packets remain queued.

Technical ContextAI

The vulnerability exists in the Bluetooth socket implementation within the Linux kernel, specifically in socket destructors for Bluetooth protocols (L2CAP, SCO, and HCI). When userspace applications enable TX timestamping via the SO_TIMESTAMPING socket option, outgoing packets are queued into the sk_error_queue for later consumption by the application. The root cause is a missing call to skb_queue_purge() on the sk_error_queue when socket destructors execute, violating proper resource cleanup patterns. This falls under the CWE-401 (Missing Release of Memory after Effective Lifetime) classification. The affected CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* indicates all Linux kernel versions are potentially impacted, though the actual risk window depends on Bluetooth subsystem compilation and SO_TIMESTAMPING usage.

RemediationAI

Apply the Linux kernel patches from the stable branch (commits 2b6c942a526635f5c61d2f000258e620da32d3a7, 3de7c10a950b36affc692d8bd2ac713852580e56, or 21e4271e65094172aadd5beb8caea95dd0fbf6d7 available at https://git.kernel.org/stable/) by upgrading to a patched kernel version in your distribution. For distributions like Ubuntu, Debian, or RHEL, wait for and apply the next stable kernel update which will incorporate these fixes. Until patching is possible, mitigate risk by disabling TX timestamping for Bluetooth sockets if not required by applications (avoid SO_TIMESTAMPING socket option usage), or restrict Bluetooth access to trusted applications only via apparmor, SELinux, or similar mandatory access controls. Monitor system memory usage on Bluetooth-heavy systems to detect potential leaks.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23299 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy