CVE-2026-5068 – bt: l2cap le coc: remote oob write via seg counter stored in net_buf user_data

CVE ID :CVE-2026-5068

Published : June 9, 2026, 8:16 a.m. | 19 minutes ago

Description :A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size smaller than 2 bytes, the segmentation counter stored in the net_buf user_data area is written out of bounds in l2cap_chan_le_recv_seg (subsys/bluetooth/host/l2cap.c). The observed effects are an AddressSanitizer abort and, without ASan, heap corruption / fatal error.

Severity: 7.6 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-9698 – DBI versions before 1.648 for Perl saved errors in a limited-sized buffer

CVE-2026-44083 – QuMagie

CVE-2026-41986 – ACME File System Logic Bypass Denial of Service

CVE-2026-41985 – Package Management Module Use-After-Free Vulnerability