CVE-2026-23299 - Vulnerability Details

- Bluetooth: purge error queues in socket destructors

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: purge error queues in socket destructors

When TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued
into sk_error_queue and will stay there until consumed. If userspace never
gets to read the timestamps, or if the controller is removed unexpectedly,
these SKBs will leak.

Fix by adding skb_queue_purge() calls for sk_error_queue in affected
bluetooth destructors. RFCOMM does not currently use sk_error_queue.

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The defect resides in the Linux Bluetooth subsystem, where transmit timestamping enables sk_buff instances to be queued into sk_error_queue. The kernel fails to clear this queue during socket cleanup, so the queued sk_buffs persist until the user processes the timestamps or until the Bluetooth controller is disconnected. Because the items remain in memory, repeated creation and destruction of Bluetooth sockets can consume kernel memory, potentially exhausting the system and resulting in a denial of service. This weakness is a classic resource‑leak scenario (CWE‑772).

Affected Systems

The issue affects the Linux kernel’s Bluetooth implementation. All distributions running a kernel build that contains the buggy Bluetooth socket destructors and that enable SO_TIMESTAMPING are potentially impacted. The specific kernel versions are not listed in the advisory, so administrators should check whether their kernel series includes this change as part of recent updates.

Risk and Exploitability

The packaged CVSS score is 5.5, reflecting a moderate impact and requiring operators or local users to invoke Bluetooth socket operations. The EPSS score of less than 1% suggests that exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a user or application that repeatedly opens and closes Bluetooth sockets with timestamping enabled, eventually exhausting kernel memory. Because the flaw is a kernel resource leak rather than an immediate privilege‑escalation flaw, it is generally mitigated by applying the kernel patch before a DoS occurs.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`134f4b39df7b77225a80ef585c15d46f964f5e6f`	affected	< 2b6c942a526635f5c61d2f000258e620da32d3a7
`134f4b39df7b77225a80ef585c15d46f964f5e6f`	affected	< 3de7c10a950b36affc692d8bd2ac713852580e56
`134f4b39df7b77225a80ef585c15d46f964f5e6f`	affected	< 21e4271e65094172aadd5beb8caea95dd0fbf6d7

Linux

affected

Version	Status	Constraints
`6.15`	affected	—
`0`	unaffected	< 6.15
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[134f4b39df7b77225a80ef585c15d46f964f5e6f,2b6c942a526635f5c61d2f000258e620da32d3a7)`	affected	code_commit	—
`[134f4b39df7b77225a80ef585c15d46f964f5e6f,3de7c10a950b36affc692d8bd2ac713852580e56)`	affected	code_commit	—
`[134f4b39df7b77225a80ef585c15d46f964f5e6f,21e4271e65094172aadd5beb8caea95dd0fbf6d7)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.15`	affected	generic	—
`[0,6.15)`	unaffected	generic	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc2,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a Linux kernel update that includes the skb_queue_purge fix for Bluetooth socket destructors
If an immediate kernel update is not available, consider disabling SO_TIMESTAMPING in applications that use Bluetooth sockets to reduce the accumulation of error queue entries
Restart the machine to clear any stale sk_error_queue entries while a patch is pending

Generated by OpenCVE AI on March 26, 2026 at 14:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/21e4271e65094172aadd5beb8caea95dd0fbf6d7
https://git.kernel.org/stable/c/2b6c942a526635f5c61d2f000258e620da32d3a7
https://git.kernel.org/stable/c/3de7c10a950b36affc692d8bd2ac713852580e56
https://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23299-6471@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23299
https://www.cve.org/CVERecord?id=CVE-2026-23299

History

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-399

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23299-6471@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23299 https://www.cve.org/CVERecord?id=CVE-2026-23299
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-399

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: purge error queues in socket destructors When TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued into sk_error_queue and will stay there until consumed. If userspace never gets to read the timestamps, or if the controller is removed unexpectedly, these SKBs will leak. Fix by adding skb_queue_purge() calls for sk_error_queue in affected bluetooth destructors. RFCOMM does not currently use sk_error_queue.
Title		Bluetooth: purge error queues in socket destructors
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/21e4271e65094172aadd5beb8caea95dd0fbf6d7 https://git.kernel.org/stable/c/2b6c942a526635f5c61d2f000258e620da32d3a7 https://git.kernel.org/stable/c/3de7c10a950b36affc692d8bd2ac713852580e56

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:26:55.481Z

Updated: 2026-04-13T06:03:54.248Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23299

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:25.487

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-23299

Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23299 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:50:07Z

Weaknesses

CWE-772

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object