Skip to main content

Linux Kernel CVE-2026-31512

| EUVDEUVD-2026-24895 MEDIUM
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r6qv-6h22-hpj4
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 15:22 vuln.today
CVSS changed
Apr 28, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 15:08 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24895
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()

l2cap_ecred_data_rcv() reads the SDU length field from skb->data using get_unaligned_le16() without first verifying that skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb.

The ERTM reassembly path correctly calls pskb_may_pull() before reading the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the same validation to the Enhanced Credit Based Flow Control data path.

AnalysisAI

Denial of service via buffer over-read in Linux kernel Bluetooth L2CAP Enhanced Credit Based Flow Control data path allows local authenticated attackers to crash the system by sending malformed L2CAP packets with insufficient payload length. The vulnerability exists in l2cap_ecred_data_rcv() which reads the SDU length field without validating that the socket buffer contains the required 2 bytes, causing an out-of-bounds read that triggers a kernel panic when the buffer is too small. EPSS exploitation probability is 0.02% (percentile 7%), and a vendor patch is available.

Technical ContextAI

The Linux kernel Bluetooth subsystem implements the L2CAP (Logical Link Control and Adaptation Protocol) layer, which handles segmentation and reassembly of data over Bluetooth connections. The Enhanced Credit Based Flow Control (ECBFC) feature provides improved data transmission reliability. The vulnerability is rooted in a missing input validation check (CWE-20: Improper Input Validation) in the l2cap_ecred_data_rcv() function, which processes incoming L2CAP PDUs in the ECBFC data path. When reading the SDU (Service Data Unit) length field using get_unaligned_le16(), the code does not first call pskb_may_pull() to verify that skb->len is at least L2CAP_SDULEN_SIZE (2 bytes). In contrast, the ERTM (Enhanced Retransmission Mode) reassembly path in l2cap_reassemble_sdu() correctly performs this validation before accessing the same field. This inconsistency allows crafted Bluetooth packets with skb->len < 2 to trigger out-of-bounds memory reads, causing kernel panic.

RemediationAI

Apply vendor-released kernel patches: upgrade to Linux 5.10.253 or later (5.10 series), 5.15.203 or later (5.15 series), 6.1.168 or later (6.1 series), 6.6.131 or later (6.6 series), 6.12.80 or later (6.12 series), 6.18.21 or later (6.18 series), or 7.0 or later. The fix adds a pskb_may_pull() validation call in l2cap_ecred_data_rcv() before reading the SDU length field, mirroring the existing protection in the ERTM reassembly path. If immediate kernel upgrade is not feasible, restrict Bluetooth capabilities on untrusted systems or disable L2CAP Enhanced Credit Based Flow Control at the kernel module level (echo 'blacklist btl2cap' >> /etc/modprobe.d/blacklist.conf and reboot), though this disables legitimate ECBFC functionality. For Bluetooth-enabled systems where ECBFC cannot be disabled, implement strict access controls limiting Bluetooth connections to trusted devices only via Bluetooth authentication pairing. Monitor kernel logs for L2CAP-related panics and investigate unexpected Bluetooth disconnections. Patched versions are available across all stable branches with no known side effects from the validation addition.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31512 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy