Skip to main content

Linux Kernel EUVDEUVD-2026-31857

| CVE-2026-45835 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-26 Linux GHSA-qjjp-q69m-v8xm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges required to invoke Bluetooth L2CAP callbacks; impact is kernel crash only, with no confidentiality or integrity exposure.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 21:27 vuln.today
CVSS changed
Jun 26, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch available
May 26, 2026 - 18:02 EUVD
CVE Published
May 26, 2026 - 16:14 nvd
MEDIUM 5.5
CVE Published
May 26, 2026 - 16:14 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()

Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().

AnalysisAI

Null pointer dereference in the Linux kernel's Bluetooth L2CAP socket layer crashes the kernel when l2cap_sock_new_connection_cb() is invoked without the NULL guard present in sibling callbacks. Local unprivileged users on systems with Bluetooth enabled can trigger a kernel oops or panic, resulting in a denial of service. No public exploit or CISA KEV listing exists; EPSS probability is near zero at 0.02% (5th percentile), indicating minimal active exploitation interest at time of analysis.

Technical ContextAI

The vulnerability resides in the Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) socket layer - the core multiplexing protocol underpinning most Bluetooth connection profiles. The affected function l2cap_sock_new_connection_cb() is a callback invoked when a new L2CAP connection is established, and it lacks the NULL pointer check that sibling callbacks l2cap_sock_resume_cb() and l2cap_sock_ready_cb() already carry. CWE-476 (NULL Pointer Dereference) identifies the root cause: the code dereferences a pointer without validating it is non-NULL, triggering a kernel exception. CPE data confirms all Linux kernel versions across affected stable branches are impacted until the respective backported fix commits. The subsystem requires CONFIG_BT_L2CAP to be compiled in and the Bluetooth hardware and module to be active.

RemediationAI

The primary fix is to upgrade to a patched kernel version: Linux 6.6.140 or later for the 6.6.x stable branch, 6.12.88 or later for 6.12.x, 6.18.30 or later for 6.18.x, 7.0.7 or later for 7.0.x, or 7.1-rc3 or later for 7.1.x. Distributions will backport these via their own security channels (Ubuntu USN, RHEL RHSA, Debian DSA); apply distribution-provided kernel updates as available. If immediate patching is not feasible and Bluetooth is not operationally required, disable the Bluetooth subsystem with systemctl disable --now bluetooth && rmmod btusb - this eliminates the attack surface entirely with no functional trade-off for non-Bluetooth workloads. On systems requiring Bluetooth, restrict L2CAP socket creation by untrusted users using AppArmor or SELinux policies limiting AF_BLUETOOTH socket access to specific trusted processes; note this may break unprivileged Bluetooth applications and requires policy tuning per deployment.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
Image SLES12-SP5-Azure-BYOS Affected
Image SLES12-SP5-Azure-SAP-BYOS Image SLES12-SP5-Azure-SAP-On-Demand Image SLES12-SP5-EC2-SAP-On-Demand Affected
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Fixed
openSUSE Tumbleweed Fixed

Share

EUVD-2026-31857 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy