CVE-2026-31513
Stack-Out-of-Bounds Read in Linux Bluetooth L2CAP Component
Publication date: 2026-04-22
Last updated on: 2026-04-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 6.12.75 (inc) to 6.12.80 (exc) |
| linux | linux_kernel | From 6.18.16 (inc) to 6.18.21 (exc) |
| linux | linux_kernel | From 6.19.6 (inc) to 6.19.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a stack-out-of-bounds read triggered by malformed Enhanced Credit Based Connection Requests in the Bluetooth L2CAP layer of the Linux kernel.
Detection on a network or system would involve monitoring for malformed L2CAP packets with more than 5 Source Channel IDs (SCIDs) in Enhanced Credit Based Connection Requests.
Since the vulnerability is triggered by malformed Bluetooth packets, one approach is to capture Bluetooth traffic and analyze L2CAP connection requests for abnormal SCID counts.
However, no specific detection commands or tools are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been fixed by changing the Linux kernel code to properly validate the number of Source Channel IDs (SCIDs) before calculating the response length, preventing a stack-out-of-bounds read.
Immediate mitigation steps include updating your Linux kernel to a version that includes this fix.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's Bluetooth L2CAP component, specifically in the function l2cap_ecred_conn_req(). The function allocates a fixed-size local stack buffer intended to hold up to 5 Source Channel IDs (SCIDs), totaling 18 bytes.
An attacker can send a malformed Enhanced Credit Based Connection Request containing more than 5 SCIDs. The function calculates a response length (rsp_len) based on this unvalidated input before verifying if the SCID count exceeds the allowed maximum.
If the SCID count is too high, the function attempts to reject the packet, but rsp_len retains the oversized value. This causes a subsequent function, l2cap_send_cmd(), to read beyond the allocated buffer, leading to a stack-out-of-bounds read and triggering a kernel address sanitizer (KASAN) panic.
The fix involves moving the rsp_len assignment to after the SCID count boundary check, ensuring that if the packet is rejected, rsp_len remains safe and only the base header is read.
How can this vulnerability impact me? :
This vulnerability can cause a stack-out-of-bounds read in the Linux kernel's Bluetooth stack, which may lead to a kernel panic triggered by KASAN (Kernel Address Sanitizer).
Such a panic can cause system instability or crashes, potentially leading to denial of service (DoS) conditions on affected systems.
Because the issue involves reading beyond allocated memory, it might also be exploitable for information disclosure or other unintended behaviors, although the description does not explicitly confirm this.