CVE-2026-31393
Received Received - Intake
Out-of-Bounds Read in Linux Kernel Bluetooth L2CAP Component

Publication date: 2026-04-03

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_len >= 5). A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb data. Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (feat_mask and remote_fixed_chan remain zero from kzalloc), so the info timer cleanup and l2cap_conn_start() still run and the connection is not stalled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31393
EUVD
EUVD-2026-18768
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's Bluetooth L2CAP implementation. Specifically, the function l2cap_information_rsp() does not properly validate the length of the L2CAP_INFO_RSP payload before accessing its data.

The function checks that the command length covers the fixed header (4 bytes), but then reads additional payload data without verifying that the payload is actually present. This can lead to out-of-bounds reads when the payload is truncated.

For example, certain fields like L2CAP_IT_FEAT_MASK and L2CAP_IT_FIXED_CHAN read bytes beyond the header, requiring the payload to be at least 8 or 5 bytes respectively. If the payload is shorter, an out-of-bounds read of adjacent memory occurs.

The fix involves adding proper payload length checks before accessing the data. If the payload is too short, the read is skipped and safe default values are used, preventing the connection from stalling.


How can this vulnerability impact me? :

This vulnerability can cause out-of-bounds memory reads in the Bluetooth L2CAP protocol handling within the Linux kernel.

Such out-of-bounds reads may lead to information disclosure by reading adjacent memory data unintentionally.

Additionally, improper handling of this condition could potentially cause instability or crashes in the Bluetooth stack, possibly affecting the reliability of Bluetooth connections.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by validating the L2CAP_INFO_RSP payload length before accessing it in the Linux kernel Bluetooth L2CAP implementation.

To mitigate this vulnerability immediately, ensure your Linux kernel is updated to a version that includes this fix.

If updating is not immediately possible, avoid using Bluetooth L2CAP features that may trigger the vulnerable code, though this may impact functionality.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart