CVE-2026-23395
Published: 25 March 2026
Summary
CVE-2026-23395 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-23395 is a vulnerability in the Linux kernel's Bluetooth L2CAP implementation that allows acceptance of multiple L2CAP_ECRED_CONN_REQ packets regardless of their command identifier. This flaw causes multiple requests to be marked as pending (FLAG_DEFER_SETUP), resulting in more than L2CAP_ECRED_MAX_CID (5) channel identifiers being allocated in l2cap_ecred_rsp_defer, leading to an overflow. The issue violates Bluetooth specifications, which require unique identifiers for each successive request on a signaling channel.
An attacker within adjacent network range (Bluetooth proximity) with no privileges or user interaction required can exploit this by sending crafted L2CAP_ECRED_CONN_REQ packets using the same identifier repeatedly. Successful exploitation achieves high impacts on confidentiality, integrity, and availability (CVSS 3.1 score of 8.8: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), potentially causing kernel resource exhaustion, denial of service, or further compromise through the overflow.
Kernel patches referenced in stable git commits (e.g., 10a7a7025422, 2124d82fd25e, 46e5b71666fb, 5b3e2052334f, 6b949a6b33cb) mitigate the issue by checking for existing pending channels with the same identifier and rejecting subsequent requests, enforcing the Bluetooth specification's uniqueness requirement. Security practitioners should update to kernels incorporating these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15398
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_DEFER_SETUP) which…
more
can cause more than L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer causing an overflow. The spec is quite clear that the same identifier shall not be used on subsequent requests: 'Within each signaling channel a different Identifier shall be used for each successive request or indication.' https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d So this attempts to check if there are any channels pending with the same identifier and rejects if any are found.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel Bluetooth L2CAP flaw enables adjacent-network exploitation of remote service for DoS via resource exhaustion/overflow or potential privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws like the L2CAP identifier validation failure through kernel patches that enforce unique identifiers and prevent CID overflow.
Mandates validation of inputs such as L2CAP_ECRED_CONN_REQ command identifiers to reject duplicates and avoid excessive resource allocation.
Provides protection against denial-of-service from resource exhaustion caused by allocating more than L2CAP_ECRED_MAX_CID identifiers.