CVE-2026-23395 (GCVE-0-2026-23395)
Vulnerability from cvelistv5
Published
2026-03-25 10:33
Modified
2026-04-18 08:58
Severity ?
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_DEFER_SETUP) which can cause more than L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer causing an overflow. The spec is quite clear that the same identifier shall not be used on subsequent requests: 'Within each signaling channel a different Identifier shall be used for each successive request or indication.' https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d So this attempts to check if there are any channels pending with the same identifier and rejects if any are found.
References
Impacted products
Vendor Product Version
Linux Linux Version: 15f02b91056253e8cdc592888f431da0731337b8
Version: 15f02b91056253e8cdc592888f431da0731337b8
Version: 15f02b91056253e8cdc592888f431da0731337b8
Version: 15f02b91056253e8cdc592888f431da0731337b8
Version: 15f02b91056253e8cdc592888f431da0731337b8
Version: 15f02b91056253e8cdc592888f431da0731337b8
Version: 15f02b91056253e8cdc592888f431da0731337b8
Version: 15f02b91056253e8cdc592888f431da0731337b8
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "10a7a702542240d5edb2b39450ac951c59ccd009",
              "status": "affected",
              "version": "15f02b91056253e8cdc592888f431da0731337b8",
              "versionType": "git"
            },
            {
              "lessThan": "46e5b71666fb7652082e4e214a3365f4b14f1dc3",
              "status": "affected",
              "version": "15f02b91056253e8cdc592888f431da0731337b8",
              "versionType": "git"
            },
            {
              "lessThan": "fb4a3a26483f3ea2cd21c7a2f7c45d5670600465",
              "status": "affected",
              "version": "15f02b91056253e8cdc592888f431da0731337b8",
              "versionType": "git"
            },
            {
              "lessThan": "2124d82fd25e1671bb3ceb37998af5aae5903e06",
              "status": "affected",
              "version": "15f02b91056253e8cdc592888f431da0731337b8",
              "versionType": "git"
            },
            {
              "lessThan": "6b949a6b33cbdf621d9fc6f0c48ac00915dbf514",
              "status": "affected",
              "version": "15f02b91056253e8cdc592888f431da0731337b8",
              "versionType": "git"
            },
            {
              "lessThan": "8d0d94f8ba5b3a0beec3b0da558b9bea48018117",
              "status": "affected",
              "version": "15f02b91056253e8cdc592888f431da0731337b8",
              "versionType": "git"
            },
            {
              "lessThan": "e72ee455297b794b852e5cea8d2d7bb17312172a",
              "status": "affected",
              "version": "15f02b91056253e8cdc592888f431da0731337b8",
              "versionType": "git"
            },
            {
              "lessThan": "5b3e2052334f2ff6d5200e952f4aa66994d09899",
              "status": "affected",
              "version": "15f02b91056253e8cdc592888f431da0731337b8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.20",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.10",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ\n\nCurrently the code attempts to accept requests regardless of the\ncommand identifier which may cause multiple requests to be marked\nas pending (FLAG_DEFER_SETUP) which can cause more than\nL2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer\ncausing an overflow.\n\nThe spec is quite clear that the same identifier shall not be used on\nsubsequent requests:\n\n\u0027Within each signaling channel a different Identifier shall be used\nfor each successive request or indication.\u0027\nhttps://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d\n\nSo this attempts to check if there are any channels pending with the\nsame identifier and rejects if any are found."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-18T08:58:29.622Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/10a7a702542240d5edb2b39450ac951c59ccd009"
        },
        {
          "url": "https://git.kernel.org/stable/c/46e5b71666fb7652082e4e214a3365f4b14f1dc3"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb4a3a26483f3ea2cd21c7a2f7c45d5670600465"
        },
        {
          "url": "https://git.kernel.org/stable/c/2124d82fd25e1671bb3ceb37998af5aae5903e06"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b949a6b33cbdf621d9fc6f0c48ac00915dbf514"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d0d94f8ba5b3a0beec3b0da558b9bea48018117"
        },
        {
          "url": "https://git.kernel.org/stable/c/e72ee455297b794b852e5cea8d2d7bb17312172a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b3e2052334f2ff6d5200e952f4aa66994d09899"
        }
      ],
      "title": "Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23395",
    "datePublished": "2026-03-25T10:33:18.936Z",
    "dateReserved": "2026-01-13T15:37:46.011Z",
    "dateUpdated": "2026-04-18T08:58:29.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.