CVE-2026-23395
- Source
- https://cve.org/CVERecord?id=CVE-2026-23395
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23395.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-23395
- Downstream
- Published
- 2026-03-25T10:33:18.936Z
- Modified
- 2026-04-02T13:12:23.937141Z
- Summary
- Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix accepting multiple L2CAPECREDCONN_REQ
Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAGDEFERSETUP) which can cause more than L2CAPECREDMAXCID(5) to be allocated in l2capecredrspdefer causing an overflow.
The spec is quite clear that the same identifier shall not be used on subsequent requests:
'Within each signaling channel a different Identifier shall be used for each successive request or indication.' https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d
So this attempts to check if there are any channels pending with the same identifier and rejects if any are found.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23395.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2124d82fd25e1671bb3ceb37998af5aae5903e06
- https://git.kernel.org/stable/c/5b3e2052334f2ff6d5200e952f4aa66994d09899
- https://git.kernel.org/stable/c/6b949a6b33cbdf621d9fc6f0c48ac00915dbf514
- https://git.kernel.org/stable/c/8d0d94f8ba5b3a0beec3b0da558b9bea48018117
- https://git.kernel.org/stable/c/e72ee455297b794b852e5cea8d2d7bb17312172a
- https://git.kernel.org/stable/c/fb4a3a26483f3ea2cd21c7a2f7c45d5670600465
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23395.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23395
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced15f02b91056253e8cdc592888f431da0731337b8Fixedfb4a3a26483f3ea2cd21c7a2f7c45d5670600465Fixed2124d82fd25e1671bb3ceb37998af5aae5903e06Fixed6b949a6b33cbdf621d9fc6f0c48ac00915dbf514Fixed8d0d94f8ba5b3a0beec3b0da558b9bea48018117Fixede72ee455297b794b852e5cea8d2d7bb17312172aFixed5b3e2052334f2ff6d5200e952f4aa66994d09899