CVE-2026-23299
Analyzed Analyzed - Analysis Complete
Memory Leak in Linux Bluetooth Socket Error Queue Handling

Publication date: 2026-03-25

Last updated on: 2026-05-29

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: purge error queues in socket destructors When TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued into sk_error_queue and will stay there until consumed. If userspace never gets to read the timestamps, or if the controller is removed unexpectedly, these SKBs will leak. Fix by adding skb_queue_purge() calls for sk_error_queue in affected bluetooth destructors. RFCOMM does not currently use sk_error_queue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23299
EUVD
EUVD-2026-15234
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel From 6.15 (inc) to 6.18.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth implementation related to error queue management in socket destructors.

When TX timestamping is enabled using SO_TIMESTAMPING, socket buffers (SKBs) may be placed into an error queue called sk_error_queue and remain there until they are read by userspace.

If userspace never reads these timestamps or if the Bluetooth controller is unexpectedly removed, these SKBs will leak, meaning they remain allocated and are not properly freed.

The fix involved adding calls to skb_queue_purge() to clear the sk_error_queue in the affected Bluetooth socket destructors, preventing the leak.

Impact Analysis

This vulnerability can lead to resource leaks in the Linux kernel's Bluetooth subsystem.

Specifically, socket buffers that are not properly freed can accumulate, potentially causing increased memory usage and degraded system performance over time.

In extreme cases, this could lead to exhaustion of kernel memory resources, which might affect system stability or cause crashes.

Mitigation Strategies

The vulnerability is fixed by adding skb_queue_purge() calls for sk_error_queue in affected Bluetooth socket destructors. To mitigate this vulnerability, ensure your Linux kernel is updated to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23299. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart