Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53208

CVE-2026-53208: Linux Kernel Bluetooth L2CAP DoS Flaw

CVE-2026-53208 is a denial of service vulnerability in the Linux kernel's Bluetooth L2CAP implementation allowing attackers to force excessive response frames. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-53208 Overview

CVE-2026-53208 affects the Linux kernel Bluetooth subsystem, specifically the L2CAP (Logical Link Control and Adaptation Protocol) implementation in net/bluetooth/l2cap_core.c. The function l2cap_sig_channel() accepts BR/EDR signaling packets up to the channel MTU without enforcing the signaling MTU (MTUsig) defined by the Bluetooth Core specification. A Bluetooth BR/EDR peer within radio range can send a single oversized signaling packet on fixed-channel CID 0x0001 containing many packed L2CAP_ECHO_REQ commands before any pairing occurs. Researchers observed one 681-byte packet with 168 zero-length ECHO_REQ commands forcing the target to transmit 168 ECHO_RSP frames in roughly 220 milliseconds.

Critical Impact

An unauthenticated attacker within Bluetooth radio range can force amplified response traffic from a target host before pairing, consuming radio bandwidth and CPU resources.

Affected Products

  • Linux kernel Bluetooth subsystem (net/bluetooth/l2cap_core.c)
  • BR/EDR signaling parser in mainline and stable kernel branches
  • Systems with active Bluetooth BR/EDR radios in discoverable or connectable state

Discovery Timeline

  • 2026-06-25 - CVE-2026-53208 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53208

Vulnerability Analysis

The defect resides in the BR/EDR signaling channel parser. l2cap_sig_channel() iterates over command headers contained in a signaling packet but bounds its read against the channel MTU rather than the protocol-mandated signaling MTU. The Bluetooth Core specification sets the minimum signaling MTU at 48 bytes, but Linux historically accepted significantly larger packets. This permits a remote peer to pack many commands into a single frame and have each one dispatched.

The L2CAP_ECHO_REQ command requires a corresponding L2CAP_ECHO_RSP response. By stuffing dozens of zero-length ECHO_REQ commands into one signaling packet, an attacker forces the kernel to transmit a proportionally large number of response frames. This yields a packet-amplification primitive that consumes radio airtime and CPU cycles on the victim.

Root Cause

The unrestricted BR/EDR signaling parser and the ECHO_REQ response path both trace back to the initial git import of the Linux Bluetooth stack. No later introducing commit exists, so the maintainers did not assign a Fixes: tag. The root cause is missing enforcement of the MTUsig boundary before command dispatch in l2cap_sig_channel().

Attack Vector

The attacker must be within Bluetooth BR/EDR radio range of the target. No pairing, authentication, or user interaction is required. A single crafted fixed-channel CID 0x0001 packet larger than 48 bytes containing packed ECHO_REQ commands triggers the amplification. Because the abuse occurs before pairing, security controls that depend on link-layer authentication do not apply.

The vulnerability behavior is described in prose only; verified proof-of-concept code is not publicly available. Refer to the upstream kernel commits for the corrective patches.

Detection Methods for CVE-2026-53208

Indicators of Compromise

  • Bursts of outbound L2CAP_ECHO_RSP frames on BR/EDR fixed-channel CID 0x0001 without a corresponding pairing event
  • Inbound L2CAP signaling packets larger than 48 bytes from unpaired peers
  • Sustained radio activity on Bluetooth interfaces from devices that have not completed pairing

Detection Strategies

  • Capture HCI traffic with btmon or hcidump and flag signaling frames where the L2CAP length field exceeds the spec MTUsig of 48 bytes
  • Alert on rapid sequences of ECHO_RSP transmissions originating from a single peer address before authentication completes
  • Inspect kernel logs for any new L2CAP_COMMAND_REJECT_RSP events carrying L2CAP_REJ_MTU_EXCEEDED once the patched kernel is deployed, as these indicate active probing

Monitoring Recommendations

  • Forward Bluetooth HCI logs from Linux endpoints into a centralized logging or SIEM pipeline for correlation across the fleet
  • Track per-peer signaling packet size distributions on hosts that must keep Bluetooth enabled
  • Monitor CPU and radio utilization spikes on Bluetooth-equipped Linux systems, especially in dense public environments

How to Mitigate CVE-2026-53208

Immediate Actions Required

  • Apply the upstream Linux kernel patches that define MTUsig as 48 bytes and reject oversized signaling packets with L2CAP_REJ_MTU_EXCEEDED before any command is dispatched
  • Disable Bluetooth on systems that do not require BR/EDR connectivity, particularly servers, kiosks, and embedded devices
  • Place sensitive Linux endpoints out of untrusted radio range where feasible

Patch Information

The fix introduces MTUsig enforcement in l2cap_sig_channel(). Any BR/EDR signaling packet larger than 48 bytes is rejected with a single L2CAP_COMMAND_REJECT_RSP carrying L2CAP_REJ_MTU_EXCEEDED, using the identifier from the first command header. This deliberately deviates from the spec wording about silently discarding response-only packets, because silent drops desynchronize the peer and locating the first request would require parsing bytes from a packet already deemed too large. Patches are distributed across multiple stable branches; see the Kernel Git Commit a8335f3d, Kernel Git Commit 214a2042, Kernel Git Commit b20e8a98, Kernel Git Commit dd214733, Kernel Git Commit dedc92b9, Kernel Git Commit e05c4ac5, Kernel Git Commit e2b8acf9, and Kernel Git Commit fa582312.

Workarounds

  • Unload the bluetooth and btusb kernel modules on systems where BR/EDR is not required
  • Use rfkill block bluetooth to disable the radio on hosts that cannot be patched immediately
  • Restrict physical access and reduce wireless exposure for high-value Linux systems until patched kernels are deployed
bash
# Disable Bluetooth radio and prevent module load until kernel is patched
sudo rfkill block bluetooth
sudo systemctl disable --now bluetooth.service
echo 'install bluetooth /bin/true' | sudo tee /etc/modprobe.d/disable-bluetooth.conf
echo 'install btusb /bin/true'     | sudo tee -a /etc/modprobe.d/disable-bluetooth.conf
sudo modprobe -r btusb bluetooth 2>/dev/null || true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.