Skip to main content

Linux Kernel CVE-2026-53208

| EUVDEUVD-2026-39299 MEDIUM
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-hhxp-r7j7-v7jv
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Radio-range, pre-pairing attack maps to AV:A and PR:N; impact is availability-only amplification with no confidentiality or integrity effect.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 02, 2026 - 23:17 vuln.today
CVSS changed
Jul 02, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig

net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR signaling packets up to the channel MTU and dispatches each command without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer within radio range can send a fixed-channel CID 0x0001 packet that is larger than MTUsig and contains many L2CAP_ECHO_REQ commands before pairing. In a real-radio stock-kernel run, one 681-byte signaling packet containing 168 zero-length ECHO_REQ commands made the target transmit 168 ECHO_RSP frames over about 220 ms.

Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling packet containing packed ECHO_REQ commands.

Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.

The Bluetooth Core spec wording for MTUExceeded says the reject identifier shall match the first request command in the packet, and that packets containing only responses shall be silently discarded. Linux intentionally deviates from that prescription: silently discarding desynchronizes the peer because the remote stack never learns its responses were dropped, and locating the first request command requires walking command headers past MTUsig, i.e. processing bytes from a packet we have already decided is too large to process. We therefore always emit one reject and use the identifier from the first command header, a single fixed-offset byte read.

The unrestricted BR/EDR signaling parser and ECHO_REQ response path both trace to the initial git import; no later introducing commit is available for a Fixes tag.

AnalysisAI

Bluetooth L2CAP in the Linux kernel fails to enforce the signaling MTU (MTUsig = 48 bytes) in l2cap_sig_channel(), enabling a nearby BR/EDR peer to send a single oversized fixed-channel signaling packet packed with many ECHO_REQ commands before pairing and force a proportional burst of ECHO_RSP frames. In a confirmed test, one 681-byte CID 0x0001 packet containing 168 ECHO_REQ commands caused the target to emit 168 responses over approximately 220 ms - roughly a 250× frame amplification - constituting a traffic-amplification denial-of-service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Move within Bluetooth radio range
Delivery
Craft oversized L2CAP CID 0x0001 signaling packet
Exploit
Embed 168 ECHO_REQ commands past MTUsig boundary
Execution
Transmit packet pre-pairing to target
Persist
Kernel dispatches all commands without MTUsig enforcement
Impact
Target emits 168 ECHO_RSP frames causing amplification DoS

Vulnerability AssessmentAI

Exploitation Bluetooth BR/EDR (classic Bluetooth, not BLE) must be enabled and active on the target Linux host. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-supplied CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, score 5.5) conflicts materially with the vulnerability description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positions a Bluetooth-capable device within radio range of a Linux host running an unpatched kernel with Bluetooth enabled. Before any pairing occurs, the attacker transmits a single crafted 681-byte L2CAP fixed-channel CID 0x0001 signaling packet containing 168 zero-length ECHO_REQ commands. …
Remediation Upgrade to a patched stable kernel release: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or mainline 7.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy