Skip to main content

Linux Kernel CVE-2026-31513

| EUVDEUVD-2026-24897 HIGH
Out-of-bounds Read (CWE-125)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8h97-6438-987h
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 16:22 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 16:15 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:25 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
8.1 (HIGH)
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24897
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 8.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req

Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd() that is triggered by a malformed Enhanced Credit Based Connection Request.

The vulnerability stems from l2cap_ecred_conn_req(). The function allocates a local stack buffer (pdu) designed to hold a maximum of 5 Source Channel IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more than 5 SCIDs, the function calculates rsp_len based on this unvalidated cmd_len before checking if the number of SCIDs exceeds L2CAP_ECRED_MAX_CID.

If the SCID count is too high, the function correctly jumps to the response label to reject the packet, but rsp_len retains the attacker's oversized value. Consequently, l2cap_send_cmd() is instructed to read past the end of the 18-byte pdu buffer, triggering a KASAN panic.

Fix this by moving the assignment of rsp_len to after the num_scid boundary check. If the packet is rejected, rsp_len will safely remain 0, and the error response will only read the 8-byte base header from the stack.

AnalysisAI

Buffer over-read in Linux kernel Bluetooth L2CAP allows adjacent network attackers to disclose sensitive kernel memory and crash systems via malformed Enhanced Credit Based Connection Requests. Affects multiple stable kernel versions (6.12.x, 6.18.x, 6.19.x). Vendor patches available for all affected branches. EPSS score of 0.02% indicates low observed exploitation probability despite the network-adjacent attack vector and lack of required authentication. No public exploit identified at time of analysis.

Technical ContextAI

The vulnerability exists in the Linux kernel's Bluetooth Low Energy (BLE) L2CAP (Logical Link Control and Adaptation Protocol) implementation, specifically within the Enhanced Credit Based Connection Request handler (l2cap_ecred_conn_req). L2CAP provides connection-oriented and connectionless data services for higher-layer protocols. The function allocates an 18-byte stack buffer designed for up to 5 Source Channel IDs (SCIDs) as defined by L2CAP_ECRED_MAX_CID. When processing incoming Enhanced Credit Based Connection Requests, the code calculates response length (rsp_len) from the attacker-supplied command length before validating that the SCID count does not exceed the maximum. If validation fails, the error path attempts to send a rejection response using the oversized rsp_len value, causing l2cap_send_cmd to read beyond the stack buffer boundary. This manifests as a KASAN-detected stack-out-of-bounds read in l2cap_build_cmd, disclosed through syzbot fuzzing.

RemediationAI

Apply vendor-released kernel patches immediately: upgrade to Linux kernel 6.12.80 or later for 6.12.x series, 6.18.21 or later for 6.18.x series, or 6.19.11 or later for 6.19.x series. Upstream fix commits available at https://git.kernel.org/stable/c/a3d9c50d69785ae02e153f000da1b5fd6dbfdf1b (mainline), https://git.kernel.org/stable/c/5b35f8211a913cfe7ab9d54fa36a272d2059a588, https://git.kernel.org/stable/c/9d87cb22195b2c67405f5485d525190747ad5493, and https://git.kernel.org/stable/c/c8e1a27edb8b4e5afb56b384acd7b6c2dec1b7cc. For environments where immediate patching is not feasible, disable Bluetooth functionality entirely via kernel module blacklisting (add 'blacklist bluetooth' to /etc/modprobe.d/blacklist.conf and unload btusb, bluetooth modules) - note this breaks all Bluetooth-dependent services and devices. Alternatively, restrict Bluetooth access to trusted devices only via MAC address filtering in BlueZ configuration, though this provides defense-in-depth rather than complete mitigation as the vulnerability occurs during connection request processing before authentication. Network segmentation to isolate Bluetooth-enabled systems from untrusted adjacent networks reduces exposure but does not eliminate risk from physical proximity attacks.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31513 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy