CVE-2026-31512
Received Received - Intake
Buffer Overflow in Linux Kernel Bluetooth L2CAP Component

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() l2cap_ecred_data_rcv() reads the SDU length field from skb->data using get_unaligned_le16() without first verifying that skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb. The ERTM reassembly path correctly calls pskb_may_pull() before reading the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the same validation to the Enhanced Credit Based Flow Control data path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31512
EUVD
EUVD-2026-24895
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 3.14
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 3.14.1 (inc) to 5.10.253 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth L2CAP component, specifically in the function l2cap_ecred_data_rcv(). The function reads the SDU length field from a data buffer without first verifying that the buffer contains enough data (at least 2 bytes). If the buffer length is less than 2 bytes, the function reads beyond the valid data, which can lead to memory corruption or other unexpected behavior.

The issue arises because l2cap_ecred_data_rcv() uses get_unaligned_le16() to read the SDU length without checking the buffer length first. In contrast, another path in the code (ERTM reassembly) correctly validates the buffer length before reading. The fix involves applying the same validation to the Enhanced Credit Based Flow Control data path.

Impact Analysis

This vulnerability can lead to reading beyond the valid data in a buffer, which may cause memory corruption. Such memory corruption can potentially be exploited to cause crashes, denial of service, or even arbitrary code execution depending on the context and attacker capabilities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart