CVE-2026-53208 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig

net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR
signaling packets up to the channel MTU and dispatches each command
without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer
within radio range can send a fixed-channel CID 0x0001 packet that is
larger than MTUsig and contains many L2CAP_ECHO_REQ commands before
pairing. In a real-radio stock-kernel run, one 681-byte signaling
packet containing 168 zero-length ECHO_REQ commands made the target
transmit 168 ECHO_RSP frames over about 220 ms.

Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can
force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling
packet containing packed ECHO_REQ commands.

Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and
reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP
carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.

The Bluetooth Core spec wording for MTUExceeded says the reject
identifier shall match the first request command in the packet, and
that packets containing only responses shall be silently discarded.
Linux intentionally deviates from that prescription: silently
discarding desynchronizes the peer because the remote stack never
learns its responses were dropped, and locating the first request
command requires walking command headers past MTUsig, i.e. processing
bytes from a packet we have already decided is too large to process.
We therefore always emit one reject and use the identifier from the
first command header, a single fixed-offset byte read.

The unrestricted BR/EDR signaling parser and ECHO_REQ response path both
trace to the initial git import; no later introducing commit is
available for a Fixes tag.

Published: 2026-06-25

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel Bluetooth stack contains a flaw in the L2CAP signaling packet parser. When a BR/EDR peer sends a fixed‑channel packet that exceeds the allowed signaling MTU (typically 48 bytes) but falls within the channel MTU, the kernel accepts the packet and dispatches every command inside without checking the size. An attacker can pack many L2CAP_ECHO_REQ commands into a single 681‑byte packet. For each command the kernel then generates an L2CAP_ECHO_RSP frame. In a real‑world test the victim transmitted 168 response frames over roughly 220 ms, illustrating a forced high‑rate transmission that can exhaust local radio resources or saturate the device’s traffic handling.

Affected Systems

The weakness affects the generic Linux kernel, specifically the Bluetooth L2CAP implementation located in net/bluetooth/l2cap_core.c. No particular kernel version is listed in the advisory, but all kernels containing the unpatched code are vulnerable. The vulnerability resides in the lower‑level Bluetooth stack and can be triggered by any device that communicates over Bluetooth BR/EDR with the affected host.

Risk and Exploitability

The flaw is exploitable by any Bluetooth BR/EDR device within radio range of the target before pairing is established. Because the attack only requires sending a single oversized signaling packet, the adjacency requirement is the main limitation. No public exploits have been reported and the vulnerability is not listed in the CISA KEV catalog, but the lack of an immediate fix in the kernel code and the deterministic resource consumption make the risk moderate to high for deployments that keep Bluetooth enabled. The EPSS score is unavailable, so the actual probability of exploitation cannot be quantified, but the potential impact is a denial of service that forces the device to transmit many frames.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< e05c4ac575b457978a7ef441053394169084869c
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< fa5823126239b3e453fac1a2fe50726c7f4a55e1
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< b20e8a98dd29b121f58fcdf51e8576119aba536a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 214a2042b16b3c8d798a8b9ef9f36094f13a9859
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< a8335f3db15bd1e0e82e0db5d488fabc7d10d1ab
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< dedc92b96dc1d8919a3bdf2495ede68922ef7ebc
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< e2b8acf9405bd9b1baf1c54dc897b0905db689bf
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< dd214733544427587a95f66dbf3adff072568990
`0`	affected	< 5.10.259
`0`	affected	< 5.15.210
`0`	affected	< 6.1.176
`0`	affected	< 6.6.143
`0`	affected	< 6.12.94
`0`	affected	< 6.18.36
`0`	affected	< 7.0.13

Linux

affected

Version	Status	Constraints
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to the latest release that includes the commit fixing the L2CAP signing MTU enforcement
If an update cannot be applied immediately, disable Bluetooth or block BR/EDR traffic on the affected systems through policy or firewall rules
As a temporary measure, monitor Bluetooth traffic for unusually large fixed‑channel signaling packets and drop them at the network layer if the kernel cannot be patched

Generated by OpenCVE AI on June 25, 2026 at 11:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/214a2042b16b3c8d798a8b9ef9f36094f13a9859
https://git.kernel.org/stable/c/a8335f3db15bd1e0e82e0db5d488fabc7d10d1ab
https://git.kernel.org/stable/c/b20e8a98dd29b121f58fcdf51e8576119aba536a
https://git.kernel.org/stable/c/dd214733544427587a95f66dbf3adff072568990
https://git.kernel.org/stable/c/dedc92b96dc1d8919a3bdf2495ede68922ef7ebc
https://git.kernel.org/stable/c/e05c4ac575b457978a7ef441053394169084869c
https://git.kernel.org/stable/c/e2b8acf9405bd9b1baf1c54dc897b0905db689bf
https://git.kernel.org/stable/c/fa5823126239b3e453fac1a2fe50726c7f4a55e1

History

Thu, 25 Jun 2026 11:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-400

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR signaling packets up to the channel MTU and dispatches each command without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer within radio range can send a fixed-channel CID 0x0001 packet that is larger than MTUsig and contains many L2CAP_ECHO_REQ commands before pairing. In a real-radio stock-kernel run, one 681-byte signaling packet containing 168 zero-length ECHO_REQ commands made the target transmit 168 ECHO_RSP frames over about 220 ms. Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling packet containing packed ECHO_REQ commands. Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched. The Bluetooth Core spec wording for MTUExceeded says the reject identifier shall match the first request command in the packet, and that packets containing only responses shall be silently discarded. Linux intentionally deviates from that prescription: silently discarding desynchronizes the peer because the remote stack never learns its responses were dropped, and locating the first request command requires walking command headers past MTUsig, i.e. processing bytes from a packet we have already decided is too large to process. We therefore always emit one reject and use the identifier from the first command header, a single fixed-offset byte read. The unrestricted BR/EDR signaling parser and ECHO_REQ response path both trace to the initial git import; no later introducing commit is available for a Fixes tag.
Title		Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/214a2042b16b3c8d798a8b9ef9f36094f13a9859 https://git.kernel.org/stable/c/a8335f3db15bd1e0e82e0db5d488fabc7d10d1ab https://git.kernel.org/stable/c/b20e8a98dd29b121f58fcdf51e8576119aba536a https://git.kernel.org/stable/c/dd214733544427587a95f66dbf3adff072568990 https://git.kernel.org/stable/c/dedc92b96dc1d8919a3bdf2495ede68922ef7ebc https://git.kernel.org/stable/c/e05c4ac575b457978a7ef441053394169084869c https://git.kernel.org/stable/c/e2b8acf9405bd9b1baf1c54dc897b0905db689bf https://git.kernel.org/stable/c/fa5823126239b3e453fac1a2fe50726c7f4a55e1

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:14.257Z

Updated: 2026-06-25T08:39:14.257Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53208

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T11:30:06Z

Weaknesses

CWE-20
Improper Input Validation
CWE-400
Uncontrolled Resource Consumption

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object