{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23299", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:55.481Z", "dateUpdated": "2026-03-25T10:26:55.481Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:55.481Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: purge error queues in socket destructors\n\nWhen TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued\ninto sk_error_queue and will stay there until consumed. If userspace never\ngets to read the timestamps, or if the controller is removed unexpectedly,\nthese SKBs will leak.\n\nFix by adding skb_queue_purge() calls for sk_error_queue in affected\nbluetooth destructors. RFCOMM does not currently use sk_error_queue."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/hci_sock.c", "net/bluetooth/iso.c", "net/bluetooth/l2cap_sock.c", "net/bluetooth/sco.c"], "versions": [{"version": "134f4b39df7b77225a80ef585c15d46f964f5e6f", "lessThan": "2b6c942a526635f5c61d2f000258e620da32d3a7", "status": "affected", "versionType": "git"}, {"version": "134f4b39df7b77225a80ef585c15d46f964f5e6f", "lessThan": "3de7c10a950b36affc692d8bd2ac713852580e56", "status": "affected", "versionType": "git"}, {"version": "134f4b39df7b77225a80ef585c15d46f964f5e6f", "lessThan": "21e4271e65094172aadd5beb8caea95dd0fbf6d7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/hci_sock.c", "net/bluetooth/iso.c", "net/bluetooth/l2cap_sock.c", "net/bluetooth/sco.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2b6c942a526635f5c61d2f000258e620da32d3a7"}, {"url": "https://git.kernel.org/stable/c/3de7c10a950b36affc692d8bd2ac713852580e56"}, {"url": "https://git.kernel.org/stable/c/21e4271e65094172aadd5beb8caea95dd0fbf6d7"}], "title": "Bluetooth: purge error queues in socket destructors", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: purge error queues in socket destructors\n\nWhen TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued\ninto sk_error_queue and will stay there until consumed. If userspace never\ngets to read the timestamps, or if the controller is removed unexpectedly,\nthese SKBs will leak.\n\nFix by adding skb_queue_purge() calls for sk_error_queue in affected\nbluetooth destructors. RFCOMM does not currently use sk_error_queue."}], "id": "CVE-2026-23299", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:25.487", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/21e4271e65094172aadd5beb8caea95dd0fbf6d7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2b6c942a526635f5c61d2f000258e620da32d3a7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3de7c10a950b36affc692d8bd2ac713852580e56"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: Bluetooth: purge error queues in socket destructors", "id": "2451204", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451204"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in the Linux kernel's Bluetooth subsystem. When transmit (TX) timestamping is enabled, socket kernel buffers (SKBs) can accumulate in an error queue. If user applications fail to read these timestamps or if the Bluetooth controller is unexpectedly removed, these SKBs are not properly released. This oversight leads to a memory leak, which can degrade system performance or cause a denial of service (DoS)."], "name": "CVE-2026-23299", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23299\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23299\nhttps://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23299-6471@gregkh/T"], "statement": "This flaw affects systems using Bluetooth with SO_TIMESTAMPING enabled for TX timestamps. The memory leak occurs when SKBs queued in sk_error_queue are not consumed before socket destruction or controller removal. The impact is gradual memory exhaustion rather than an immediate crash. RFCOMM sockets are not affected.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[134f4b39df7b77225a80ef585c15d46f964f5e6f,2b6c942a526635f5c61d2f000258e620da32d3a7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[134f4b39df7b77225a80ef585c15d46f964f5e6f,3de7c10a950b36affc692d8bd2ac713852580e56)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[134f4b39df7b77225a80ef585c15d46f964f5e6f,21e4271e65094172aadd5beb8caea95dd0fbf6d7)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T02:27:44.731835+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the fix for the error queue purge.", "If possible, avoid enabling SO_TIMESTAMPING on Bluetooth sockets until you can apply a kernel update.", "Monitor kernel memory usage for abnormal increases in socket buffer statistics."], "summary": {"action": "Apply Patch", "impact": "Kernel memory leak"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that include the Bluetooth subsystem, without vendor\u2011specific restrictions. The vulnerability is present in the kernel at the time of the commit snapshots cited but no specific release version is listed. Any system running an affected kernel can be impacted through any user process or driver interacting with Bluetooth sockets.", "description_and_impact": "The flaw allows transmit timestamps with Bluetooth sockets to be queued in the error queue until they are retrieved or the hardware is removed. If the timestamps are never read or the controller drops unexpectedly, the queued socket buffers never get freed, causing a buildup of memory\u2011allocations within the kernel and potentially exhausting kernel memory, leading to degraded performance or system instability.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a medium severity. EPSS is below 1% and the issue is not listed in the KEV catalog, suggesting low exploitation likelihood. The most probable attack vector involves operations that enable timestamping on Bluetooth sockets, then either dropping the device or failing to read timestamps, which causes the error queue to accumulate. A local attacker with the ability to manipulate Bluetooth sockets could trigger repeated leaks, potentially leading to kernel memory exhaustion."}}}}, "created": "2026-03-25T21:15:31.405386+00:00", "updated": "2026-03-26T12:16:57.374749+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}