Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Radio-range, pre-pairing attack maps to AV:A and PR:N; impact is availability-only amplification with no confidentiality or integrity effect.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR signaling packets up to the channel MTU and dispatches each command without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer within radio range can send a fixed-channel CID 0x0001 packet that is larger than MTUsig and contains many L2CAP_ECHO_REQ commands before pairing. In a real-radio stock-kernel run, one 681-byte signaling packet containing 168 zero-length ECHO_REQ commands made the target transmit 168 ECHO_RSP frames over about 220 ms.
Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling packet containing packed ECHO_REQ commands.
Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.
The Bluetooth Core spec wording for MTUExceeded says the reject identifier shall match the first request command in the packet, and that packets containing only responses shall be silently discarded. Linux intentionally deviates from that prescription: silently discarding desynchronizes the peer because the remote stack never learns its responses were dropped, and locating the first request command requires walking command headers past MTUsig, i.e. processing bytes from a packet we have already decided is too large to process. We therefore always emit one reject and use the identifier from the first command header, a single fixed-offset byte read.
The unrestricted BR/EDR signaling parser and ECHO_REQ response path both trace to the initial git import; no later introducing commit is available for a Fixes tag.
AnalysisAI
Bluetooth L2CAP in the Linux kernel fails to enforce the signaling MTU (MTUsig = 48 bytes) in l2cap_sig_channel(), enabling a nearby BR/EDR peer to send a single oversized fixed-channel signaling packet packed with many ECHO_REQ commands before pairing and force a proportional burst of ECHO_RSP frames. In a confirmed test, one 681-byte CID 0x0001 packet containing 168 ECHO_REQ commands caused the target to emit 168 responses over approximately 220 ms - roughly a 250× frame amplification - constituting a traffic-amplification denial-of-service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Bluetooth BR/EDR (classic Bluetooth, not BLE) must be enabled and active on the target Linux host. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-supplied CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, score 5.5) conflicts materially with the vulnerability description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positions a Bluetooth-capable device within radio range of a Linux host running an unpatched kernel with Bluetooth enabled. Before any pairing occurs, the attacker transmits a single crafted 681-byte L2CAP fixed-channel CID 0x0001 signaling packet containing 168 zero-length ECHO_REQ commands. … |
| Remediation | Upgrade to a patched stable kernel release: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or mainline 7.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39299
GHSA-hhxp-r7j7-v7jv