CVE-2026-31513
Received Received - Intake
Stack-Out-of-Bounds Read in Linux Bluetooth L2CAP Component

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd() that is triggered by a malformed Enhanced Credit Based Connection Request. The vulnerability stems from l2cap_ecred_conn_req(). The function allocates a local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more than 5 SCIDs, the function calculates `rsp_len` based on this unvalidated `cmd_len` before checking if the number of SCIDs exceeds L2CAP_ECRED_MAX_CID. If the SCID count is too high, the function correctly jumps to the `response` label to reject the packet, but `rsp_len` retains the attacker's oversized value. Consequently, l2cap_send_cmd() is instructed to read past the end of the 18-byte `pdu` buffer, triggering a KASAN panic. Fix this by moving the assignment of `rsp_len` to after the `num_scid` boundary check. If the packet is rejected, `rsp_len` will safely remain 0, and the error response will only read the 8-byte base header from the stack.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31513
EUVD
EUVD-2026-24897
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.12.75 (inc) to 6.12.80 (exc)
linux linux_kernel From 6.18.16 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19.6 (inc) to 6.19.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability has been fixed by changing the Linux kernel code to properly validate the number of Source Channel IDs (SCIDs) before calculating the response length, preventing a stack-out-of-bounds read.

Immediate mitigation steps include updating your Linux kernel to a version that includes this fix.

Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth L2CAP component, specifically in the function l2cap_ecred_conn_req(). The function allocates a fixed-size local stack buffer intended to hold up to 5 Source Channel IDs (SCIDs), totaling 18 bytes.

An attacker can send a malformed Enhanced Credit Based Connection Request containing more than 5 SCIDs. The function calculates a response length (rsp_len) based on this unvalidated input before verifying if the SCID count exceeds the allowed maximum.

If the SCID count is too high, the function attempts to reject the packet, but rsp_len retains the oversized value. This causes a subsequent function, l2cap_send_cmd(), to read beyond the allocated buffer, leading to a stack-out-of-bounds read and triggering a kernel address sanitizer (KASAN) panic.

The fix involves moving the rsp_len assignment to after the SCID count boundary check, ensuring that if the packet is rejected, rsp_len remains safe and only the base header is read.

Impact Analysis

This vulnerability can cause a stack-out-of-bounds read in the Linux kernel's Bluetooth stack, which may lead to a kernel panic triggered by KASAN (Kernel Address Sanitizer).

Such a panic can cause system instability or crashes, potentially leading to denial of service (DoS) conditions on affected systems.

Because the issue involves reading beyond allocated memory, it might also be exploitable for information disclosure or other unintended behaviors, although the description does not explicitly confirm this.

Detection Guidance

This vulnerability involves a stack-out-of-bounds read triggered by malformed Enhanced Credit Based Connection Requests in the Bluetooth L2CAP layer of the Linux kernel.

Detection on a network or system would involve monitoring for malformed L2CAP packets with more than 5 Source Channel IDs (SCIDs) in Enhanced Credit Based Connection Requests.

Since the vulnerability is triggered by malformed Bluetooth packets, one approach is to capture Bluetooth traffic and analyze L2CAP connection requests for abnormal SCID counts.

However, no specific detection commands or tools are provided in the available information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31513. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart