{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23299", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:55.481Z", "dateUpdated": "2026-03-25T10:26:55.481Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:55.481Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: purge error queues in socket destructors\n\nWhen TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued\ninto sk_error_queue and will stay there until consumed. If userspace never\ngets to read the timestamps, or if the controller is removed unexpectedly,\nthese SKBs will leak.\n\nFix by adding skb_queue_purge() calls for sk_error_queue in affected\nbluetooth destructors. RFCOMM does not currently use sk_error_queue."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/hci_sock.c", "net/bluetooth/iso.c", "net/bluetooth/l2cap_sock.c", "net/bluetooth/sco.c"], "versions": [{"version": "134f4b39df7b77225a80ef585c15d46f964f5e6f", "lessThan": "2b6c942a526635f5c61d2f000258e620da32d3a7", "status": "affected", "versionType": "git"}, {"version": "134f4b39df7b77225a80ef585c15d46f964f5e6f", "lessThan": "3de7c10a950b36affc692d8bd2ac713852580e56", "status": "affected", "versionType": "git"}, {"version": "134f4b39df7b77225a80ef585c15d46f964f5e6f", "lessThan": "21e4271e65094172aadd5beb8caea95dd0fbf6d7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/hci_sock.c", "net/bluetooth/iso.c", "net/bluetooth/l2cap_sock.c", "net/bluetooth/sco.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2b6c942a526635f5c61d2f000258e620da32d3a7"}, {"url": "https://git.kernel.org/stable/c/3de7c10a950b36affc692d8bd2ac713852580e56"}, {"url": "https://git.kernel.org/stable/c/21e4271e65094172aadd5beb8caea95dd0fbf6d7"}], "title": "Bluetooth: purge error queues in socket destructors", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: purge error queues in socket destructors\n\nWhen TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued\ninto sk_error_queue and will stay there until consumed. If userspace never\ngets to read the timestamps, or if the controller is removed unexpectedly,\nthese SKBs will leak.\n\nFix by adding skb_queue_purge() calls for sk_error_queue in affected\nbluetooth destructors. RFCOMM does not currently use sk_error_queue."}], "id": "CVE-2026-23299", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:25.487", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/21e4271e65094172aadd5beb8caea95dd0fbf6d7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2b6c942a526635f5c61d2f000258e620da32d3a7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3de7c10a950b36affc692d8bd2ac713852580e56"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: Bluetooth: purge error queues in socket destructors", "id": "2451204", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451204"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in the Linux kernel's Bluetooth subsystem. When transmit (TX) timestamping is enabled, socket kernel buffers (SKBs) can accumulate in an error queue. If user applications fail to read these timestamps or if the Bluetooth controller is unexpectedly removed, these SKBs are not properly released. This oversight leads to a memory leak, which can degrade system performance or cause a denial of service (DoS)."], "name": "CVE-2026-23299", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23299\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23299\nhttps://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23299-6471@gregkh/T"], "statement": "This flaw affects systems using Bluetooth with SO_TIMESTAMPING enabled for TX timestamps. The memory leak occurs when SKBs queued in sk_error_queue are not consumed before socket destruction or controller removal. The impact is gradual memory exhaustion rather than an immediate crash. RFCOMM sockets are not affected.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T11:22:40.570354+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that adds skb_queue_purge calls to Bluetooth socket destructors.", "If an immediate patch is not available, avoid enabling SO_TIMESTAMPING on Bluetooth sockets in user applications.", "Consider disabling Bluetooth if it is not required for your environment.", "Monitor kernel memory usage and system logs for signs of excessive skb allocation or out\u2011of\u2011memory events."], "summary": {"action": "Immediate Patch", "impact": "Memory Leak leading to Denial of Service"}, "threat_synthesis": {"affected_systems": "This bug affects all Linux kernel implementations that lack the skb_queue_purge calls in Bluetooth destructors, including older kernel releases prior to the upstream fix. No specific version range is listed, so any kernel that predates the patch is potentially affected.", "description_and_impact": "The Linux kernel Bluetooth subsystem fails to purge packets queued in the error queue when a socket is destroyed. When transmit timestamping is enabled via SO_TIMESTAMPING, skb objects are placed into the error queue and remain allocated unless the socket is read or the controller is unexpectedly removed. Over time these leaked skbs consume kernel memory, potentially exhausting it and destabilizing the system. The vulnerability is limited to the Bluetooth stack and occurs during socket cleanup.", "risk_and_exploitability": "The CVSS score is not provided and the EPSS score is unavailable, but the flaw can be exploited by a local user who can create Bluetooth sockets with SO_TIMESTAMPING enabled or by an application that leaves those sockets open after controller removal. The attacker can force memory exhaustion and cause a denial\u2011of\u2011service. Although the CISA KEV list does not currently include this vulnerability, the local nature of the attack vector and the lack of memory protection suggest a moderate to high risk if the kernel is unpatched."}}}}, "created": "2026-03-25T21:15:31.405386+00:00", "updated": "2026-03-25T21:15:31.405413+00:00", "vendors": [], "weaknesses": ["CWE-399"]}