{"id":"CVE-2026-23395","summary":"Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ\n\nCurrently the code attempts to accept requests regardless of the\ncommand identifier which may cause multiple requests to be marked\nas pending (FLAG_DEFER_SETUP) which can cause more than\nL2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer\ncausing an overflow.\n\nThe spec is quite clear that the same identifier shall not be used on\nsubsequent requests:\n\n'Within each signaling channel a different Identifier shall be used\nfor each successive request or indication.'\nhttps://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d\n\nSo this attempts to check if there are any channels pending with the\nsame identifier and rejects if any are found.","modified":"2026-04-02T13:12:23.937141Z","published":"2026-03-25T10:33:18.936Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23395.json","cna_assigner":"Linux"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2124d82fd25e1671bb3ceb37998af5aae5903e06"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5b3e2052334f2ff6d5200e952f4aa66994d09899"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6b949a6b33cbdf621d9fc6f0c48ac00915dbf514"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8d0d94f8ba5b3a0beec3b0da558b9bea48018117"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e72ee455297b794b852e5cea8d2d7bb17312172a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fb4a3a26483f3ea2cd21c7a2f7c45d5670600465"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23395.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23395"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"15f02b91056253e8cdc592888f431da0731337b8"},{"fixed":"fb4a3a26483f3ea2cd21c7a2f7c45d5670600465"},{"fixed":"2124d82fd25e1671bb3ceb37998af5aae5903e06"},{"fixed":"6b949a6b33cbdf621d9fc6f0c48ac00915dbf514"},{"fixed":"8d0d94f8ba5b3a0beec3b0da558b9bea48018117"},{"fixed":"e72ee455297b794b852e5cea8d2d7bb17312172a"},{"fixed":"5b3e2052334f2ff6d5200e952f4aa66994d09899"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23395.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.7.0"},{"fixed":"6.1.167"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.130"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.20"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23395.json"}}],"schema_version":"1.7.5"}