Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ

Currently the code attempts to accept requests regardless of the
command identifier which may cause multiple requests to be marked
as pending (FLAG_DEFER_SETUP) which can cause more than
L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer
causing an overflow.

The spec is quite clear that the same identifier shall not be used on
subsequent requests:

'Within each signaling channel a different Identifier shall be used
for each successive request or indication.'
https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d

So this attempts to check if there are any channels pending with the
same identifier and rejects if any are found.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The Linux kernel's Bluetooth L2CAP implementation incorrectly accepts multiple connection requests with the same identifier. Because the code does not check for pending requests, it can mark more than the maximum allowed number of links (L2CAP_ECRED_MAX_CID=5) as pending. This causes an overflow in the allocated link list. The overflow can corrupt memory and leads to a denial of service by crashing the Bluetooth subsystem.

Affected Systems

The flaw affects all Linux kernel versions that contain the vulnerable L2CAP code. All distributions that ship an unpatched kernel are affected. Patch is required regardless of distribution version but is only available in the latest kernel releases after the fix. The advisory refers to the kernel source and kernel.org commits for airborne patching.

Risk and Exploitability

The vulnerability scores an 8.8 on CVSS, indicating high severity. The EPSS score is below 1%, indicating a low probability of widespread exploitation. The flaw is not yet in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to connect to the vulnerable device over Bluetooth with a crafted L2CAP connection request; therefore the vector is inferred to be local or near-range Bluetooth, not internet‑accessible. Without the patch, an attacker could trigger the overflow whenever they send more than five overlapping L2CAP connection requests.

Generated by OpenCVE AI on April 2, 2026 at 10:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the L2CAP_ECRED_CONN_REQ patch.
  • Verify that the kernel version is at least the patched commit; consult kernel.org or the distribution's security advisories.
  • If immediate upgrade not possible, consider disabling Bluetooth on the device to eliminate the attack surface.
  • As a temporary measure, isolate the device from potential Bluetooth neighbors by turning off its discoverability or limiting paired devices.

Generated by OpenCVE AI on April 2, 2026 at 10:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1288
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_DEFER_SETUP) which can cause more than L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer causing an overflow. The spec is quite clear that the same identifier shall not be used on subsequent requests: 'Within each signaling channel a different Identifier shall be used for each successive request or indication.' https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d So this attempts to check if there are any channels pending with the same identifier and rejects if any are found.
Title Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:29.622Z

Reserved: 2026-01-13T15:37:46.011Z

Link: CVE-2026-23395

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:40.347

Modified: 2026-04-18T09:16:23.467

Link: CVE-2026-23395

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23395 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:56Z

Weaknesses