The Linux kernel team has patched a Bluetooth flaw that could crash systems running kernel versions going back to 3.1. CVE-2026-45835, published by the National Vulnerability Database on May 26, 2026, resolves a NULL pointer dereference in the L2CAP protocol’s socket connection callback. The fix adds a missing guard that was already present in neighboring functions, preventing a kernel panic if a Bluetooth device triggers the vulnerable code path.

For Windows admins, this isn’t a Windows vulnerability—it’s a reminder that Linux devices live inside nearly every modern Microsoft shop, from developer workstations running WSL2 to backend servers and IoT appliances. The bug itself is local and low complexity, requiring an attacker to be within Bluetooth range and able to execute code on the target. But a crash is still a crash, and the potential for denial-of-service on critical Linux systems warrants a closer look.

One Missing Check, One Kernel Panic

A NULL pointer dereference means code tried to use a pointer that points to nothing. In the Linux kernel, that usually results in a system crash. The problem sits in l2cap_sock_new_connection_cb(), a callback that fires when a new L2CAP socket connection is established over Bluetooth. The fix: add a simple if (!parent) guard, the same check already used in two sibling callbacks, l2cap_sock_resume_cb() and l2cap_sock_ready_cb().

The affected code has been around since Linux 3.1 (2011). Stable kernel updates containing the patch are now available for all supported long-term branches:

Kernel Series Fixed Version
5.10 5.10.258
5.15 5.15.209
6.1 6.1.175
6.6 6.6.140
6.12 6.12.88
6.18 6.18.30
7.0 7.0.7

NVD assigned a CVSS 3.1 base score of 5.5 (Medium). The vector string reads: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H—local attack, low complexity, low privileges required, no user interaction, with a high impact on availability. No confidentiality or integrity impact. In other words, an attacker who already has some foothold on the system can crash it by sending a malicious Bluetooth sequence. There’s no suggestion of remote code execution.

What This Means for Your Environment

If you’re running Windows 11 on a laptop, this CVE doesn’t affect your Bluetooth stack. Microsoft’s own code is not involved. But the moment you spin up a Linux VM, boot a dual-boot machine, or deploy a Linux-powered device somewhere in your network, the landscape changes.

Home users and developers who dual-boot or use Windows Subsystem for Linux 2 need a reality check: WSL2 runs a real Linux kernel, but it does not expose the host Bluetooth radio directly as a Linux Bluetooth interface. That means the vulnerable code path isn’t reachable through WSL2 alone. Your real risk comes from native Linux installs—on old laptops, Raspberry Pi projects, or home servers left with Bluetooth enabled.

Enterprise IT teams should treat this as an inventory test. How many Linux endpoints can you actually identify? Do you know which ones have Bluetooth hardware? Is Bluetooth turned on in firmware and the OS? For servers in data centers, the answer should be almost none; a racked machine has no business leaving Bluetooth active. But for Linux-based kiosks, conference room controllers, or test rigs, the answer may be yes—and those systems often live in physically accessible spaces where proximity attacks are plausible.

Hybrid Windows shops often manage Linux through separate tools, leaving blind spots. If your vulnerability scanner only checks package versions without knowing the hardware configuration, it might flag a headless VM that can’t actually be exploited. Conversely, it might miss a dual-boot developer laptop where the Linux side is unpatched and Bluetooth is wide open. This CVE is a chance to close that gap.

How We Got Here: A Decade-Old Assumption Bites Back

The bug traces back to the kernel’s L2CAP implementation in 3.1. For years, the callback assumed a socket’s parent would always exist at connection time. That assumption was wrong in rare cases—perhaps during teardown races or error handling—but the path remained untriggered. Then, as kernel fuzzing tools like syzkaller grew more sophisticated, such edge cases got exercised.

The fix mirrors what maintainers already did for two similar callbacks: if the parent socket is NULL, bail out immediately. It’s a standard defensive pattern in kernel code, and the fact that this callback was overlooked suggests the L2CAP code still has untested corners. The 5.5 CVSS score reflects a bug that’s low impact per occurrence but could disrupt services in the right context.

This CVE also highlights a shift in how the Linux kernel project handles security defects. Over the last few years, kernel.org has begun assigning CVE identifiers to many small, already-fixed bugs that might previously have stayed as quiet commits. That means more CVEs in the pipeline, often with sparse initial details—just like this one, which started without a score and with only kernel.org references. For security teams, that means learning to triage based on subsystem, exposure, and patch availability rather than waiting for a magic CVSS number.

What to Do Now

  1. Audit your Linux footprint. Start with any device that runs a Linux kernel and has Bluetooth hardware. That includes laptops, embedded systems, single-board computers, and appliances. Don’t forget dual-boot machines and Linux VMs with USB Bluetooth passthrough.

  2. Disable Bluetooth where it’s not needed. On servers, run systemctl disable bluetooth or blacklist the bluetooth kernel module. On appliances, check the vendor’s guidance. There’s rarely a reason for a racked server to have Bluetooth active.

  3. Patch promptly if Bluetooth is in use. Apply the fixed kernel from your distribution’s stable repositories. Reboot to activate the new kernel. If you’re on a rolling release, you likely already have the fix. For enterprise distributions, check vendor advisories; many backport patches to older kernel versions without bumping the main version number.

  4. Verify after patching. Confirm the fixed kernel version with uname -r. On Debian/Ubuntu, check the package changelog (apt changelog linux-image-...). On Red Hat, consult the errata. Remember: installing a kernel update doesn’t protect you until you reboot into it.

  5. Consider physical exposure. If a Linux laptop goes through airports and coffee shops, treat it with the same urgency you would a Windows laptop. The CVSS score says “local,” but local attacks become practical when the device travels.

  6. Don’t panic, but don’t dismiss. This isn’t a wormable remote exploit. It’s a local crash bug that requires Bluetooth proximity and low privileges. That makes it a lower priority than, say, a remote code execution flaw in an internet-facing service. However, if your Linux kiosk controlling a building’s HVAC crashes repeatedly because of this bug, the disruption is real.

Outlook: More Kernel CVEs, More Cross-Platform Awareness

The steady stream of Linux kernel CVEs isn’t going to slow down. The project’s commitment to transparent reporting means every NULL pointer fix gets a CVE. For Windows-centric organizations, this is a call to build genuine Linux competency into their patch management programs. The days of pretending Linux doesn’t exist in a Microsoft environment are long gone.

In the immediate future, watch for distribution-specific advisories and firmware updates from appliance vendors. Some will patch quickly; others may take months. The true risk isn’t this single bug—it’s the device that never gets updated because nobody realized it was vulnerable in the first place. That’s where your attention should be.