CVE-2026-23299

Bluetooth: purge error queues in socket destructors

Assigner: Linux
Reserved: 13.01.2026 Published: 25.03.2026 Updated: 25.03.2026

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: purge error queues in socket destructors

When TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued into sk_error_queue and will stay there until consumed. If userspace never gets to read the timestamps, or if the controller is removed unexpectedly, these SKBs will leak.

Fix by adding skb_queue_purge() calls for sk_error_queue in affected bluetooth destructors. RFCOMM does not currently use sk_error_queue.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 134f4b39df7b77225a80ef585c15d46f964f5e6f to 2b6c942a526635f5c61d2f000258e620da32d3a7 (excl.) affected from 134f4b39df7b77225a80ef585c15d46f964f5e6f to 3de7c10a950b36affc692d8bd2ac713852580e56 (excl.) affected from 134f4b39df7b77225a80ef585c15d46f964f5e6f to 21e4271e65094172aadd5beb8caea95dd0fbf6d7 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from 134f4b39df7b77225a80ef585c15d46f964f5e6f to 2b6c942a526635f5c61d2f000258e620da32d3a7 (excl.)
affected from 134f4b39df7b77225a80ef585c15d46f964f5e6f to 3de7c10a950b36affc692d8bd2ac713852580e56 (excl.)
affected from 134f4b39df7b77225a80ef585c15d46f964f5e6f to 21e4271e65094172aadd5beb8caea95dd0fbf6d7 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 6.15 is affected unaffected from 0 to 6.15 (excl.) unaffected from 6.18.17 to 6.18.* (incl.) unaffected from 6.19.7 to 6.19.* (incl.) unaffected from 7.0-rc2 to * (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

Version 6.15 is affected
unaffected from 0 to 6.15 (excl.)
unaffected from 6.18.17 to 6.18.* (incl.)
unaffected from 6.19.7 to 6.19.* (incl.)
unaffected from 7.0-rc2 to * (incl.)

References

CVE-2026-23299 PUBLISHED

Bluetooth: purge error queues in socket destructors

Product Status

References