{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23395", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.011Z", "datePublished": "2026-03-25T10:33:18.936Z", "dateUpdated": "2026-04-18T08:58:29.622Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-18T08:58:29.622Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ\n\nCurrently the code attempts to accept requests regardless of the\ncommand identifier which may cause multiple requests to be marked\nas pending (FLAG_DEFER_SETUP) which can cause more than\nL2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer\ncausing an overflow.\n\nThe spec is quite clear that the same identifier shall not be used on\nsubsequent requests:\n\n'Within each signaling channel a different Identifier shall be used\nfor each successive request or indication.'\nhttps://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d\n\nSo this attempts to check if there are any channels pending with the\nsame identifier and rejects if any are found."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "15f02b91056253e8cdc592888f431da0731337b8", "lessThan": "10a7a702542240d5edb2b39450ac951c59ccd009", "status": "affected", "versionType": "git"}, {"version": "15f02b91056253e8cdc592888f431da0731337b8", "lessThan": "46e5b71666fb7652082e4e214a3365f4b14f1dc3", "status": "affected", "versionType": "git"}, {"version": "15f02b91056253e8cdc592888f431da0731337b8", "lessThan": "fb4a3a26483f3ea2cd21c7a2f7c45d5670600465", "status": "affected", "versionType": "git"}, {"version": "15f02b91056253e8cdc592888f431da0731337b8", "lessThan": "2124d82fd25e1671bb3ceb37998af5aae5903e06", "status": "affected", "versionType": "git"}, {"version": "15f02b91056253e8cdc592888f431da0731337b8", "lessThan": "6b949a6b33cbdf621d9fc6f0c48ac00915dbf514", "status": "affected", "versionType": "git"}, {"version": "15f02b91056253e8cdc592888f431da0731337b8", "lessThan": "8d0d94f8ba5b3a0beec3b0da558b9bea48018117", "status": "affected", "versionType": "git"}, {"version": "15f02b91056253e8cdc592888f431da0731337b8", "lessThan": "e72ee455297b794b852e5cea8d2d7bb17312172a", "status": "affected", "versionType": "git"}, {"version": "15f02b91056253e8cdc592888f431da0731337b8", "lessThan": "5b3e2052334f2ff6d5200e952f4aa66994d09899", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/10a7a702542240d5edb2b39450ac951c59ccd009"}, {"url": "https://git.kernel.org/stable/c/46e5b71666fb7652082e4e214a3365f4b14f1dc3"}, {"url": "https://git.kernel.org/stable/c/fb4a3a26483f3ea2cd21c7a2f7c45d5670600465"}, {"url": "https://git.kernel.org/stable/c/2124d82fd25e1671bb3ceb37998af5aae5903e06"}, {"url": "https://git.kernel.org/stable/c/6b949a6b33cbdf621d9fc6f0c48ac00915dbf514"}, {"url": "https://git.kernel.org/stable/c/8d0d94f8ba5b3a0beec3b0da558b9bea48018117"}, {"url": "https://git.kernel.org/stable/c/e72ee455297b794b852e5cea8d2d7bb17312172a"}, {"url": "https://git.kernel.org/stable/c/5b3e2052334f2ff6d5200e952f4aa66994d09899"}], "title": "Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "44827F4D-4242-412D-B59A-6D9F5FC547B1", "versionEndExcluding": "5.10.253", "versionStartIncluding": "5.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8", "versionEndExcluding": "6.12.78", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171", "versionEndExcluding": "6.18.20", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581", "versionEndExcluding": "6.19.10", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.7:-:*:*:*:*:*:*", "matchCriteriaId": "3D23CE42-BDB2-4216-8495-230ABE98FCDD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ\n\nCurrently the code attempts to accept requests regardless of the\ncommand identifier which may cause multiple requests to be marked\nas pending (FLAG_DEFER_SETUP) which can cause more than\nL2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer\ncausing an overflow.\n\nThe spec is quite clear that the same identifier shall not be used on\nsubsequent requests:\n\n'Within each signaling channel a different Identifier shall be used\nfor each successive request or indication.'\nhttps://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d\n\nSo this attempts to check if there are any channels pending with the\nsame identifier and rejects if any are found."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nBluetooth: L2CAP: Correcci\u00f3n para aceptar m\u00faltiples L2CAP_ECRED_CONN_REQ\n\nActualmente, el c\u00f3digo intenta aceptar solicitudes independientemente del identificador de comando, lo que puede hacer que m\u00faltiples solicitudes se marquen como pendientes (FLAG_DEFER_SETUP), lo que puede causar que se asignen m\u00e1s de L2CAP_ECRED_MAX_CID(5) en l2cap_ecred_rsp_defer, causando un desbordamiento.\n\nLa especificaci\u00f3n es bastante clara en que el mismo identificador no debe usarse en solicitudes subsiguientes:\n\n'Dentro de cada canal de se\u00f1alizaci\u00f3n se utilizar\u00e1 un identificador diferente para cada solicitud o indicaci\u00f3n sucesiva.'\nhttps://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d\n\nAs\u00ed que esto intenta verificar si hay canales pendientes con el mismo identificador y los rechaza si se encuentra alguno."}], "id": "CVE-2026-23395", "lastModified": "2026-04-24T15:20:17.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:40.347", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/10a7a702542240d5edb2b39450ac951c59ccd009"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2124d82fd25e1671bb3ceb37998af5aae5903e06"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/46e5b71666fb7652082e4e214a3365f4b14f1dc3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5b3e2052334f2ff6d5200e952f4aa66994d09899"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6b949a6b33cbdf621d9fc6f0c48ac00915dbf514"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8d0d94f8ba5b3a0beec3b0da558b9bea48018117"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e72ee455297b794b852e5cea8d2d7bb17312172a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fb4a3a26483f3ea2cd21c7a2f7c45d5670600465"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ", "id": "2451160", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451160"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-1288", "details": ["A flaw was found in the Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) implementation. A remote attacker could exploit this vulnerability by sending multiple enhanced credit-based connection requests with the same identifier. This improper handling of requests can lead to a memory overflow, potentially causing a denial of service on the affected system."], "name": "CVE-2026-23395", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23395\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23395\nhttps://lore.kernel.org/linux-cve-announce/2026032549-CVE-2026-23395-5e50@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[15f02b91056253e8cdc592888f431da0731337b8,fb4a3a26483f3ea2cd21c7a2f7c45d5670600465)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[15f02b91056253e8cdc592888f431da0731337b8,2124d82fd25e1671bb3ceb37998af5aae5903e06)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[15f02b91056253e8cdc592888f431da0731337b8,6b949a6b33cbdf621d9fc6f0c48ac00915dbf514)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[15f02b91056253e8cdc592888f431da0731337b8,8d0d94f8ba5b3a0beec3b0da558b9bea48018117)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[15f02b91056253e8cdc592888f431da0731337b8,e72ee455297b794b852e5cea8d2d7bb17312172a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[15f02b91056253e8cdc592888f431da0731337b8,5b3e2052334f2ff6d5200e952f4aa66994d09899)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.7"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:56:57.235844+00:00", "value": {"mitigation_remediation": ["Apply a Linux kernel update that incorporates the L2CAP_ECRED_CONN_REQ patch.", "If an immediate kernel upgrade is not feasible, disable Bluetooth on the affected device to eliminate the attack surface.", "As a temporary countermeasure, limit Bluetooth discoverability and unpair any unnecessary neighboring devices to reduce exposure."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw affects all Linux kernel versions that contain the vulnerable L2CAP code. All distributions that ship an unpatched kernel are impacted. The patch is rolled into the latest kernel releases and is required regardless of distribution version. The advisory points to kernel source and kernel.org commits for guidance on applying the fix.", "description_and_impact": "The Linux kernel's Bluetooth L2CAP implementation incorrectly accepts multiple connection requests with the same identifier. Because the code does not check for pending requests, it can mark more than the maximum allowed number of links (L2CAP_ECRED_MAX_CID=5) as pending. This causes an overflow in the allocated link list, which can corrupt memory and results in a denial of service by crashing the Bluetooth subsystem.", "risk_and_exploitability": "The vulnerability scores an 8.8 on CVSS, indicating high severity. The EPSS score is below 1%, indicating a low probability of widespread exploitation. The flaw is not listed in the CISA KEV catalog. Attackers would need to connect to the device over Bluetooth with a crafted L2CAP connection request; thus the vector is inferred to be local or near\u2011range Bluetooth rather than internet\u2011accessible. Without the patch, an attacker could trigger the overflow by sending more than five overlapping L2CAP connection requests."}}}}, "created": "2026-03-25T21:31:21.054201+00:00", "updated": "2026-04-28T17:00:13.459439+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}