Skip to main content

Linux Kernel EUVDEUVD-2026-26584

| CVE-2026-31771 HIGH
2026-05-01 Linux
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:30 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
8.1 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26584
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 8.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: move wake reason storage into validated event handlers

hci_store_wake_reason() is called from hci_event_packet() immediately after stripping the HCI event header but before hci_event_func() enforces the per-event minimum payload length from hci_ev_table. This means a short HCI event frame can reach bacpy() before any bounds check runs.

Rather than duplicating skb parsing and per-event length checks inside hci_store_wake_reason(), move wake-address storage into the individual event handlers after their existing event-length validation has succeeded. Convert hci_store_wake_reason() into a small helper that only stores an already-validated bdaddr while the caller holds hci_dev_lock(). Use the same helper after hci_event_func() with a NULL address to preserve the existing unexpected-wake fallback semantics when no validated event handler records a wake address.

Annotate the helper with __must_hold(&hdev->lock) and add lockdep_assert_held(&hdev->lock) so future call paths keep the lock contract explicit.

Call the helper from hci_conn_request_evt(), hci_conn_complete_evt(), hci_sync_conn_complete_evt(), le_conn_complete_evt(), hci_le_adv_report_evt(), hci_le_ext_adv_report_evt(), hci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and hci_le_past_received_evt().

AnalysisAI

Out-of-bounds memory read in Linux kernel Bluetooth HCI event processing allows adjacent network attackers to disclose kernel memory or trigger denial of service without authentication. The vulnerability stems from premature wake reason storage before per-event payload length validation, enabling crafted short HCI event frames to reach bacpy() operations before bounds checking. EPSS score is low (0.02%, 6th percentile) with no evidence of active exploitation or public POC at time of analysis. Vendor patches available for kernel versions 5.10+ through 6.19.12 and mainline 7.0.

Technical ContextAI

This vulnerability affects the Linux kernel's Bluetooth Host Controller Interface (HCI) event processing subsystem (net/bluetooth/hci_event.c). The HCI layer handles communication between the Bluetooth host stack and Bluetooth controllers. The flaw occurs in hci_event_packet() which calls hci_store_wake_reason() immediately after stripping the HCI event header but before hci_event_func() enforces minimum payload length requirements defined in hci_ev_table. This creates a time-of-check-time-of-use vulnerability where bacpy() memory copy operations can access out-of-bounds memory from truncated HCI event frames. The fix refactors wake-reason storage into individual validated event handlers (hci_conn_request_evt, hci_conn_complete_evt, hci_sync_conn_complete_evt, le_conn_complete_evt, hci_le_adv_report_evt, and others) that only execute after their length validation succeeds, with lockdep annotations ensuring proper locking discipline. CPE data confirms impact across Linux kernel 5.10 through mainline with specific commits referenced.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.x with commit 86c8d07a64d553c41e213b52650020010f9ef23e applied, 6.19.12 or later, or mainline 7.0+ with commit 2b2bf47cd75518c36fa2d41380e4a40641cc89cd. Consult distribution-specific security advisories for backported packages (RHEL/CentOS, Ubuntu, Debian, SUSE). Patch details available at https://git.kernel.org/stable/c/2b2bf47cd75518c36fa2d41380e4a40641cc89cd and https://git.kernel.org/stable/c/86c8d07a64d553c41e213b52650020010f9ef23e. If immediate patching is not feasible, disable Bluetooth subsystem via kernel boot parameter (bluetooth.disable_ertm=1 or rmmod btusb bnep bluetooth) to eliminate attack surface entirely - this breaks all Bluetooth functionality including input devices, audio, and file transfer. Alternatively, restrict Bluetooth to trusted devices only via allowlisting in BlueZ configuration, though this does not prevent exploitation from allowed devices. Network segmentation cannot mitigate adjacent-network Bluetooth attacks. Test kernel upgrades in non-production environments first as Bluetooth subsystem changes may affect driver compatibility.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26584 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy