CVE-2026-23299 Overview
CVE-2026-23299 is a Memory Leak vulnerability in the Linux kernel's Bluetooth subsystem. The flaw exists in the socket destructor handling when TX timestamping is enabled via SO_TIMESTAMPING. When this feature is enabled, SKBs (socket buffer structures) may be queued into sk_error_queue and remain there until consumed by userspace. If userspace never reads the timestamps, or if the Bluetooth controller is removed unexpectedly, these SKBs will leak, potentially leading to memory exhaustion over time.
Critical Impact
Systems with Bluetooth functionality enabled could experience gradual memory exhaustion, leading to system instability or denial of service conditions when timestamping features are actively used.
Affected Products
- Linux kernel (Bluetooth subsystem)
- Systems with Bluetooth HCI, L2CAP, and SCO socket implementations
- RFCOMM protocol is not affected as it does not currently use sk_error_queue
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23299 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23299
Vulnerability Analysis
The vulnerability stems from improper resource cleanup in the Bluetooth socket destructor functions. When TX timestamping is enabled via the SO_TIMESTAMPING socket option, the kernel queues socket buffers (SKBs) into sk_error_queue to deliver timestamp information back to userspace. Under normal operation, userspace applications would read these timestamps from the error queue, causing the SKBs to be dequeued and freed.
However, the original implementation did not account for scenarios where these queued SKBs would never be consumed. Two primary scenarios trigger this memory leak: when userspace applications fail to read the timestamps before closing the socket, and when the Bluetooth controller is unexpectedly removed while SKBs are still queued. In both cases, the socket destructor would complete without purging the sk_error_queue, leaving the SKBs allocated indefinitely.
Root Cause
The root cause is the absence of skb_queue_purge() calls for sk_error_queue in the Bluetooth socket destructor functions. The affected socket types include HCI, L2CAP, and SCO sockets. When these sockets are destroyed, the destructor should clean up all associated resources, including any remaining entries in the error queue. The RFCOMM protocol implementation does not currently utilize sk_error_queue, making it unaffected by this specific issue.
Attack Vector
This vulnerability could be exploited in a local denial of service scenario. An attacker with the ability to create Bluetooth sockets and enable timestamping could deliberately:
- Open multiple Bluetooth sockets with SO_TIMESTAMPING enabled
- Generate network traffic that triggers timestamp events to be queued
- Close the sockets without reading the error queue
- Repeat the process to gradually exhaust kernel memory
The attack requires local access and the ability to create Bluetooth sockets, limiting the attack surface to authenticated local users or compromised processes with appropriate capabilities.
Detection Methods for CVE-2026-23299
Indicators of Compromise
- Gradual increase in kernel memory usage over time on systems with active Bluetooth connections
- Increasing sk_buff allocation counts in /proc/slabinfo without corresponding frees
- System instability or OOM (Out of Memory) killer activation on systems with heavy Bluetooth usage
- Bluetooth-related processes showing unexpectedly high memory consumption
Detection Strategies
- Monitor kernel memory allocation patterns using slabtop or /proc/slabinfo for unusual sk_buff growth
- Implement memory monitoring alerts for systems with active Bluetooth functionality
- Audit application usage of SO_TIMESTAMPING on Bluetooth sockets
- Track kernel versions against the patched commits to identify vulnerable systems
Monitoring Recommendations
- Deploy system monitoring to track kernel memory usage trends over extended periods
- Configure alerts for abnormal memory consumption patterns on Bluetooth-enabled servers and workstations
- Review system logs for OOM killer events that may indicate exploitation attempts
- Maintain an inventory of systems running vulnerable kernel versions
How to Mitigate CVE-2026-23299
Immediate Actions Required
- Update to a patched Linux kernel version that includes the fix commits
- If immediate patching is not possible, consider disabling Bluetooth functionality on critical systems
- Monitor memory usage on systems that cannot be immediately patched
- Review and restrict local user access to Bluetooth socket creation capabilities
Patch Information
The Linux kernel development team has resolved this vulnerability by adding skb_queue_purge() calls for sk_error_queue in the affected Bluetooth socket destructor functions. The fix ensures that any remaining SKBs in the error queue are properly freed when sockets are destroyed.
The following kernel commits contain the fix:
Workarounds
- Disable TX timestamping functionality if not required for operational purposes
- Restrict Bluetooth socket creation to trusted users and processes using capability controls
- Implement resource limits (cgroups) to contain potential memory exhaustion from affected processes
- Monitor and restart affected services if memory leaks are detected before patches can be applied
# Check current kernel version for vulnerability assessment
uname -r
# Monitor sk_buff allocations for potential leaks
watch -n 5 'grep skbuff /proc/slabinfo'
# Disable Bluetooth functionality temporarily if not needed
sudo systemctl stop bluetooth
sudo systemctl disable bluetooth
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
