CVE-2026-23395
Received Received - Intake
L2CAP Identifier Handling Buffer Overflow in Linux Bluetooth

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_DEFER_SETUP) which can cause more than L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer causing an overflow. The spec is quite clear that the same identifier shall not be used on subsequent requests: 'Within each signaling channel a different Identifier shall be used for each successive request or indication.' https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d So this attempts to check if there are any channels pending with the same identifier and rejects if any are found.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23395
EUVD
EUVD-2026-15398
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.7
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 5.7.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth L2CAP implementation. The issue arises because the code accepts multiple L2CAP_ECRED_CONN_REQ requests without properly checking the command identifier. According to the Bluetooth specification, each successive request on a signaling channel must use a different identifier. However, the vulnerable code may mark multiple requests with the same identifier as pending, leading to more than the allowed maximum number of connections (L2CAP_ECRED_MAX_CID, which is 5) being allocated. This can cause an overflow in the l2cap_ecred_rsp_defer structure.

The fix involves checking if there are any channels pending with the same identifier and rejecting new requests if duplicates are found, thus enforcing the specification requirement.

Impact Analysis

This vulnerability can lead to an overflow condition in the Bluetooth L2CAP layer of the Linux kernel. Such an overflow might cause unexpected behavior, including potential denial of service or instability in the Bluetooth subsystem. It could allow attackers to exploit the overflow to disrupt Bluetooth communications or possibly escalate to further attacks depending on the system context.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the Bluetooth L2CAP code to properly check and reject multiple L2CAP_ECRED_CONN_REQ requests with the same identifier. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23395. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart