CVE-2026-23299
MEDIUM EPSS 2.2%
Published Mar 25, 20263mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Published Mar 25, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: purge error queues in socket destructors When TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued into sk_error_queue and will stay there until consumed. If userspace never gets to read the timestamps, or if the controller is removed unexpectedly, these SKBs will leak. Fix by adding skb_queue_purge() calls for sk_error_queue in affected bluetooth destructors. RFCOMM does not currently use sk_error_queue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High
Threat Intelligence
EPSS Exploit Probability
2.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-772
Affected Products 3
References 3
- git.kernel.org https://git.kernel.org/stable/c/21e4271e65094172aadd5beb8caea95dd0fbf6d7
- git.kernel.org https://git.kernel.org/stable/c/2b6c942a526635f5c61d2f000258e620da32d3a7
- git.kernel.org https://git.kernel.org/stable/c/3de7c10a950b36affc692d8bd2ac713852580e56
Remediation
- git.kernel.org https://git.kernel.org/stable/c/21e4271e65094172aadd5beb8caea95dd0fbf6d7
- git.kernel.org https://git.kernel.org/stable/c/2b6c942a526635f5c61d2f000258e620da32d3a7
- git.kernel.org https://git.kernel.org/stable/c/3de7c10a950b36affc692d8bd2ac713852580e56