Skip to main content

Linux Kernel CVE-2026-45836

| EUVDEUVD-2026-31858 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-26 Linux GHSA-h3m3-qf7r-5cm7
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local attack vector with low privileges to access Bluetooth sockets; pure kernel-crash availability impact, no confidentiality or integrity consequence.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 21:26 vuln.today
CVSS changed
Jun 26, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch available
May 26, 2026 - 18:02 EUVD
CVE Published
May 26, 2026 - 16:14 nvd
MEDIUM 5.5
CVE Published
May 26, 2026 - 16:14 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()

Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().

AnalysisAI

Null pointer dereference in the Linux kernel's Bluetooth L2CAP socket layer crashes the kernel when l2cap_sock_get_sndtimeo_cb() is invoked with a NULL socket context, resulting in a local denial-of-service (kernel panic). The flaw stems from an oversight where sibling callbacks l2cap_sock_resume_cb() and l2cap_sock_ready_cb() already carry the required NULL guard, but l2cap_sock_get_sndtimeo_cb() does not. With EPSS at 0.02% (5th percentile), no public exploit identified, and no CISA KEV listing, real-world exploitation risk is low - but the vulnerability has persisted since Linux 3.13 and affects every major stable branch until patched versions were released.

Technical ContextAI

The affected subsystem is the L2CAP (Logical Link Control and Adaptation Protocol) layer within the Linux kernel Bluetooth stack, specifically the socket callback path. L2CAP is the core multiplexing layer for Bluetooth connections, and its socket implementation registers a set of callbacks for lifecycle events including readiness, resumption, and send-timeout retrieval. CWE-476 (NULL Pointer Dereference) identifies the root cause: l2cap_sock_get_sndtimeo_cb() dereferences a pointer to the socket context without first verifying it is non-NULL, a check that was correctly applied in the analogous l2cap_sock_resume_cb() and l2cap_sock_ready_cb() functions. CPE data (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) indicates the affected product is the upstream Linux kernel itself, introduced at commit 8d836d71e222 and present since Linux 3.13 across all architectures.

RemediationAI

Upgrade to a patched Linux kernel release: users on the 6.6.x stable branch should upgrade to 6.6.140 or later; users on 6.12.x should upgrade to 6.12.90 or later; users on 7.0.x should upgrade to 7.0.7 or later; users on 6.18.x should upgrade to 6.18.30 or later; and users tracking 7.1 should use rc3 or the final 7.1 release when available. The fix commits are published at https://git.kernel.org/stable/c/cf1fd517f892ded88168df878f834b625133f86d and related stable tree commits listed in the references. Distribution-maintained kernels (RHEL, Ubuntu, Debian, SUSE) should release updates incorporating these fixes; monitor vendor security advisories. If immediate patching is not feasible, disabling the Bluetooth subsystem entirely via modprobe -r btusb bluetooth eliminates the attack surface with the trade-off of losing all Bluetooth functionality. Alternatively, restricting local user access to Bluetooth socket creation via AppArmor or SELinux policy can reduce exposure without fully disabling Bluetooth. Neither workaround is necessary for environments where Bluetooth is already disabled or where only trusted local users have shell access.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-45836 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy