Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access

l2cap_information_rsp() checks that cmd_len covers the fixed
l2cap_info_rsp header (type + result, 4 bytes) but then reads
rsp->data without verifying that the payload is present:

- L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads
4 bytes past the header (needs cmd_len >= 8).

- L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header
(needs cmd_len >= 5).

A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an
out-of-bounds read of adjacent skb data.

Guard each data access with the required payload length check. If the
payload is too short, skip the read and let the state machine complete
with safe defaults (feat_mask and remote_fixed_chan remain zero from
kzalloc), so the info timer cleanup and l2cap_conn_start() still run
and the connection is not stalled.
Published: 2026-04-03
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: Out-of-Bounds Read
Action: Apply Patch
AI Analysis

Impact

In the Linux kernel, a flaw in the L2CAP layer causes the kernel to read memory beyond the bounds of a received L2CAP_INFO_RSP packet when the payload length is insufficient. The implementation only checks the command header size, but then accesses fields in the payload without validating that the required bytes are present. When an attacker sends a truncated packet with a success result, the kernel performs an out‑of‑bounds read of the surrounding skb data. This may expose kernel memory contents or other private data, or potentially lead to a crash. The weakness corresponds to an unchecked array bounds read (CWE‑788).

Affected Systems

The vulnerability is present in the Linux kernel code that implements Bluetooth L2CAP support. All distributions that include a Linux kernel version prior to the commit that added the payload length check are affected. No specific version list is provided, but the issue is fixed by the patch referenced in the supplied commit URLs.

Risk and Exploitability

The CVSS score is not supplied, and public exploitation data is not available. Exploitation would require an attacker to communicate with the target device over Bluetooth and send a crafted L2CAP_INFO_RSP request. This limits the threat to nearby or connected devices in which Bluetooth is enabled. Because the vulnerability leads only to a read, the likelihood of a successful leak or crash depends on the kernel’s memory layout and the presence of sensitive data adjacent to the buffer. Overall risk is considered moderate, and the priority should be addressed through timely kernel upgrades.

Generated by OpenCVE AI on April 3, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel patch that adds the payload length check for L2CAP_INFO_RSP
  • If using an older kernel, upgrade to a version that includes the fix referenced in the provided commit logs
  • If immediate patching is not possible, disable or restrict Bluetooth services on the host
  • Verify that no unnecessary L2CAP services are exposed to untrusted devices

Generated by OpenCVE AI on April 3, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_len >= 5). A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb data. Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (feat_mask and remote_fixed_chan remain zero from kzalloc), so the info timer cleanup and l2cap_conn_start() still run and the connection is not stalled.
Title Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T15:15:58.142Z

Reserved: 2026-03-09T15:48:24.085Z

Link: CVE-2026-31393

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:37.420

Modified: 2026-04-03T16:16:37.420

Link: CVE-2026-31393

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31393 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:33Z

Weaknesses