Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access

l2cap_information_rsp() checks that cmd_len covers the fixed
l2cap_info_rsp header (type + result, 4 bytes) but then reads
rsp->data without verifying that the payload is present:

- L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads
4 bytes past the header (needs cmd_len >= 8).

- L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header
(needs cmd_len >= 5).

A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an
out-of-bounds read of adjacent skb data.

Guard each data access with the required payload length check. If the
payload is too short, skip the read and let the state machine complete
with safe defaults (feat_mask and remote_fixed_chan remain zero from
kzalloc), so the info timer cleanup and l2cap_conn_start() still run
and the connection is not stalled.
Published: 2026-04-03
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure via out‑of‑bounds read in Bluetooth L2CAP
Action: Patch
AI Analysis

Impact

The flaw exists in the Linux kernel Bluetooth subsystem. When a Bluetooth device sends a L2CAP_INFO_RSP packet, the kernel function l2cap_information_rsp checks only the fixed header portion of the packet but then reads beyond the header without verifying that the reported payload length is sufficient. This out‑of‑bounds read can expose adjacent kernel memory. The vulnerability does not provide code execution but can leak sensitive data, making it a high‑severity flaw with a CVSS score of 8.1.

Affected Systems

All Linux kernel releases prior to the application of the patch commit 3b646516cba2ebc4b51a72954903326e7c1e443f or the equivalent patch set are affected. The issue was discovered in the Linux:Linux vendor ecosystem, affecting the generic Linux kernel image. No specific downstream versions are listed, so any distribution kernel that has not yet applied the patch may remain vulnerable.

Risk and Exploitability

The exploitable payload requires an attacker with access to the Bluetooth interface to send a crafted L2CAP_INFO_RSP message. The exploit vector is likely remote over a Bluetooth channel, but local exploitation is also conceivable if the attacker can trigger the condition. The EPSS score of less than 1% and its absence from the CISA KEV catalog suggest a low current likelihood of exploitation, yet the impact warrants remediation. An attacker would gain information leakage rather than full control.

Generated by OpenCVE AI on April 28, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the patch commit 3b646516cba2ebc4b51a72954903326e7c1e443f or later.
  • If immediate kernel upgrade is not feasible, disable L2CAP on affected interfaces via sysfs or configuration to stop L2CAP traffic.
  • Alternatively, block all L2CAP traffic on the interface using a firewall rule such as nftables or iptables until a patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_len >= 5). A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb data. Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (feat_mask and remote_fixed_chan remain zero from kzalloc), so the info timer cleanup and l2cap_conn_start() still run and the connection is not stalled.
Title Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:43.957Z

Reserved: 2026-03-09T15:48:24.085Z

Link: CVE-2026-31393

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:37.420

Modified: 2026-04-27T14:16:35.473

Link: CVE-2026-31393

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31393 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:00:06Z

Weaknesses