CVE-2026-31771
Analyzed Analyzed - Analysis Complete
Buffer Overflow in Linux Kernel Bluetooth Event Handling

Publication date: 2026-05-01

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: move wake reason storage into validated event handlers hci_store_wake_reason() is called from hci_event_packet() immediately after stripping the HCI event header but before hci_event_func() enforces the per-event minimum payload length from hci_ev_table. This means a short HCI event frame can reach bacpy() before any bounds check runs. Rather than duplicating skb parsing and per-event length checks inside hci_store_wake_reason(), move wake-address storage into the individual event handlers after their existing event-length validation has succeeded. Convert hci_store_wake_reason() into a small helper that only stores an already-validated bdaddr while the caller holds hci_dev_lock(). Use the same helper after hci_event_func() with a NULL address to preserve the existing unexpected-wake fallback semantics when no validated event handler records a wake address. Annotate the helper with __must_hold(&hdev->lock) and add lockdep_assert_held(&hdev->lock) so future call paths keep the lock contract explicit. Call the helper from hci_conn_request_evt(), hci_conn_complete_evt(), hci_sync_conn_complete_evt(), le_conn_complete_evt(), hci_le_adv_report_evt(), hci_le_ext_adv_report_evt(), hci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and hci_le_past_received_evt().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31771
EUVD
EUVD-2026-26584
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.10 (inc) to 6.19.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by moving wake reason storage into validated event handlers and enforcing proper bounds checks before processing HCI event frames.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth subsystem, specifically in the handling of HCI (Host Controller Interface) event packets. The function hci_store_wake_reason() is called too early, before proper validation of the event payload length occurs. This allows a short or malformed HCI event frame to reach the bacpy() function without bounds checking, potentially leading to memory corruption or other unexpected behavior.

The fix involved moving the storage of the wake reason into individual validated event handlers after their length checks have succeeded, ensuring that only validated data is processed. Additionally, locking mechanisms were added to enforce proper synchronization.

Impact Analysis

This vulnerability could allow an attacker to exploit the improper handling of Bluetooth HCI event packets to cause memory corruption or unexpected behavior in the Linux kernel. This might lead to system instability, crashes, or potentially allow escalation of privileges or execution of arbitrary code within the kernel context.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31771. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart