HIGH Published 2026-03-25

bluetooth L2CAP ECRED Overflow

CVE-2026-23395

CVSS 8.8 / 10.0 NVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI8.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_DEFER_SETUP) which can cause more than L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer causing an overflow. The spec is quite clear that the same identifier shall not be used on subsequent requests: 'Within each signaling channel a different Identifier shall be used for each successive request or indication.' https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d So this attempts to check if there are any channels pending with the same identifier and rejects if any are found.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Adjacent attackers within Bluetooth range can trigger a buffer overflow in the L2CAP Enhanced Credit Based Mode connection handling by sending multiple L2CAP_ECRED_CONN_REQ packets with duplicate command identifiers. This can lead to kernel memory corruption, privilege escalation, or system crashes on devices with Bluetooth enabled.

Affectednet/bluetooth/l2cap_core.c (Bluetooth L2CAP)

Vulnerability analysis

The vulnerability occurs in the L2CAP Enhanced Credit Based Mode (ECRED) connection request handler. The code fails to validate that command identifiers are unique across pending requests, allowing an attacker to send multiple L2CAP_ECRED_CONN_REQ packets with the same identifier over Bluetooth. This causes more than L2CAP_ECRED_MAX_CID (5) channels to be processed in l2cap_ecred_rsp_defer, resulting in a buffer overflow. The fix adds a check using __l2cap_chan_list_id to verify no pending channels exist with the same identifier before processing new requests, rejecting duplicates with L2CAP_CR_LE_INVALID_PARAMS. The attack surface is adjacent, requiring only Bluetooth radio proximity to send malformed L2CAP packets; no privileges or local access to the target system are required.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.253	`10a7a7025422`
5.15	5.15.203	`46e5b71666fb`
6.1	6.1.167	`fb4a3a26483f`
6.12	6.12.78	`6b949a6b33cb`
6.18	6.18.20	`8d0d94f8ba5b`
6.19	6.19.10	`e72ee455297b`
6.6	6.6.130	`2124d82fd25e`
mainline	7.0	`5b3e2052334f`