Cyber Resilience

CVE-2026-23395

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0025 16.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23395 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-23395 is a vulnerability in the Linux kernel's Bluetooth L2CAP implementation that allows acceptance of multiple L2CAP_ECRED_CONN_REQ packets regardless of their command identifier. This flaw causes multiple requests to be marked as pending (FLAG_DEFER_SETUP), resulting in more than L2CAP_ECRED_MAX_CID (5) channel identifiers being allocated in l2cap_ecred_rsp_defer, leading to an overflow. The issue violates Bluetooth specifications, which require unique identifiers for each successive request on a signaling channel.

An attacker within adjacent network range (Bluetooth proximity) with no privileges or user interaction required can exploit this by sending crafted L2CAP_ECRED_CONN_REQ packets using the same identifier repeatedly. Successful exploitation achieves high impacts on confidentiality, integrity, and availability (CVSS 3.1 score of 8.8: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), potentially causing kernel resource exhaustion, denial of service, or further compromise through the overflow.

Kernel patches referenced in stable git commits (e.g., 10a7a7025422, 2124d82fd25e, 46e5b71666fb, 5b3e2052334f, 6b949a6b33cb) mitigate the issue by checking for existing pending channels with the same identifier and rejecting subsequent requests, enforcing the Bluetooth specification's uniqueness requirement. Security practitioners should update to kernels incorporating these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_DEFER_SETUP) which…

more

can cause more than L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer causing an overflow. The spec is quite clear that the same identifier shall not be used on subsequent requests: 'Within each signaling channel a different Identifier shall be used for each successive request or indication.' https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d So this attempts to check if there are any channels pending with the same identifier and rejects if any are found.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Kernel Bluetooth L2CAP flaw enables adjacent-network exploitation of remote service for DoS via resource exhaustion/overflow or potential privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43011Same product: Linux Linux Kernel
CVE-2026-31717Same product: Linux Linux Kernel
CVE-2026-23461Same product: Linux Linux Kernel
CVE-2026-23193Same product: Linux Linux Kernel
CVE-2026-31432Same product: Linux Linux Kernel
CVE-2026-31436Same product: Linux Linux Kernel
CVE-2026-31402Same product: Linux Linux Kernel
CVE-2026-23098Same product: Linux Linux Kernel
CVE-2026-31629Same product: Linux Linux Kernel
CVE-2024-57926Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.7, 7.0 · 5.7.1 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.167

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws like the L2CAP identifier validation failure through kernel patches that enforce unique identifiers and prevent CID overflow.

prevent

Mandates validation of inputs such as L2CAP_ECRED_CONN_REQ command identifiers to reject duplicates and avoid excessive resource allocation.

prevent

Provides protection against denial-of-service from resource exhaustion caused by allocating more than L2CAP_ECRED_MAX_CID identifiers.

References