CVE-2026-23395

CVE-2026-23395 is a high-severity vulnerability in the Bluetooth L2CAP subsystem of the Linux kernel. The root cause is that the kernel fails to enforce the Bluetooth Core Specification requirement that each successive request or indication use a different command identifier [1][2]. When processing L2CAP_ECRED_CONN_REQ messages, the code marks channels as pending (FLAG_DEFER_SETUP) without checking whether the same identifier is already in use, allowing multiple requests with the same identifier to be accepted.

To exploit this vulnerability, an attacker needs to send multiple L2CAP_ECRED_CONN_REQ frames with an identical command identifier over a Bluetooth signaling channel. No authentication is required; the attack can be launched by any device within Bluetooth range that can establish an L2CAP connection. By sending such repeated requests, the attacker can cause the kernel to allocate more than L2CAP_ECRED_MAX_CID (5) channels in the l2cap_ecred_rsp_defer function, leading to an overflow of a fixed-size buffer [1][3].

The impact of this overflow includes memory corruption within the kernel. This can result in a denial of service (system crash) or, potentially, arbitrary code execution with kernel privileges. Given the CVSS v3 base score of 8.8, the vulnerability poses a serious threat to systems with Bluetooth enabled, especially in close-proximity attack scenarios.

The fix, introduced in multiple stable kernel commits, adds a check that rejects any new L2CAP_ECRED_CONN_REQ if there is already a pending channel with the same command identifier [1][2][3][4]. Users are advised to update their Linux kernels to the latest stable version containing this patch. There is no known workaround except disabling Bluetooth if patching is not immediately possible.