Skip to main content

Linux CVE-2026-23395

| EUVDEUVD-2026-15398 HIGH
2026-03-25 Linux GHSA-5r99-pj6c-hg6v
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 18, 2026 - 09:32 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 09:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15398
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:33 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ

Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_DEFER_SETUP) which can cause more than L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer causing an overflow.

The spec is quite clear that the same identifier shall not be used on subsequent requests:

'Within each signaling channel a different Identifier shall be used for each successive request or indication.' https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d

So this attempts to check if there are any channels pending with the same identifier and rejects if any are found.

AnalysisAI

Buffer overflow in Linux kernel Bluetooth L2CAP subsystem allows adjacent network attackers to achieve code execution with high integrity and confidentiality impact. The flaw occurs when the kernel incorrectly accepts multiple L2CAP_ECRED_CONN_REQ commands with the same identifier, violating Bluetooth Core Specification requirements. This causes allocation beyond the L2CAP_ECRED_MAX_CID limit (5 channels) in l2cap_ecred_rsp_defer, triggering memory corruption. Affects Linux kernel 5.7+ through multiple stable branches. Vendor patches available for 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, and 7.0-rc5. EPSS score of 0.02% suggests low likelihood of mass exploitation, no public POC or active exploitation confirmed at time of analysis.

Technical ContextAI

This vulnerability resides in the Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) implementation, specifically in the Enhanced Credit-Based Flow Control (ECRED) connection handling code. L2CAP operates at the Bluetooth stack's data link layer, managing connection-oriented and connectionless data services between devices. The flaw involves improper validation of command identifiers in L2CAP_ECRED_CONN_REQ signaling packets. The Bluetooth Core Specification mandates unique identifiers for successive requests within a signaling channel to prevent state confusion. The vulnerable code path fails to enforce this requirement, allowing an attacker to submit multiple connection requests with identical identifiers. When FLAG_DEFER_SETUP is set for these duplicate requests, the l2cap_ecred_rsp_defer function allocates channels beyond the hardcoded maximum of L2CAP_ECRED_MAX_CID (5). This creates a classic buffer overflow condition in kernel memory structures tracking L2CAP channel state. The affected code was introduced in commit 15f02b91056253e8cdc592888f431da0731337b8 and affects all Linux kernel versions from 5.7 onwards until patched. The fix implements identifier collision detection to reject duplicate requests before allocation occurs.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.167+ for LTS users, 6.6.130+ for 6.6.x branch, 6.12.78+ for 6.12.x branch, 6.18.20+ for 6.18.x branch, 6.19.10+ for 6.19.x branch, or 7.0-rc5+ for mainline. Kernel.org stable tree commits available at https://git.kernel.org/stable/c/8d0d94f8ba5b3a0beec3b0da558b9bea48018117 and related branch-specific commits listed in references. Distribution-specific updates: Debian users should apply security updates through apt when available for their tracked releases. If immediate patching is not feasible, disable Bluetooth subsystem entirely via kernel boot parameter 'bluetooth.disable_ertm=1' or by blacklisting bluetooth kernel module (add 'blacklist bluetooth' to /etc/modprobe.d/blacklist.conf and rebuild initramfs). Note this breaks all Bluetooth functionality including input devices, audio, and file transfer. For systems requiring Bluetooth, implement network segmentation to isolate Bluetooth-enabled hosts from untrusted physical spaces, disable Bluetooth discoverability/pairing modes when not actively needed, and apply MAC-based filtering to allow only known device addresses. These mitigations reduce but do not eliminate risk as the flaw exists in connection request handling before pairing authentication. Compensating controls carry operational impact: disabling Bluetooth may break legitimate device workflows, MAC filtering creates management overhead and is bypassable via address spoofing. Vendor advisories: Linux kernel stable tree releases and EUVD-2026-15398 provide authoritative patch information.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid vulnerable 6.19.8-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23395 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy