CVE-2026-23299
Memory Leak in Linux Bluetooth Socket Error Queue Handling
Publication date: 2026-03-25
Last updated on: 2026-03-25
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's Bluetooth implementation related to error queue management in socket destructors.
When TX timestamping is enabled using SO_TIMESTAMPING, socket buffers (SKBs) may be placed into an error queue called sk_error_queue and remain there until they are read by userspace.
If userspace never reads these timestamps or if the Bluetooth controller is unexpectedly removed, these SKBs will leak, meaning they remain allocated and are not properly freed.
The fix involved adding calls to skb_queue_purge() to clear the sk_error_queue in the affected Bluetooth socket destructors, preventing the leak.
How can this vulnerability impact me? :
This vulnerability can lead to resource leaks in the Linux kernel's Bluetooth subsystem.
Specifically, socket buffers that are not properly freed can accumulate, potentially causing increased memory usage and degraded system performance over time.
In extreme cases, this could lead to exhaustion of kernel memory resources, which might affect system stability or cause crashes.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by adding skb_queue_purge() calls for sk_error_queue in affected Bluetooth socket destructors. To mitigate this vulnerability, ensure your Linux kernel is updated to a version that includes this fix.