Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btusb: clamp SCO altsetting table indices

btusb_work() maps the number of active SCO links to USB alternate
settings through a three-entry lookup table when CVSD traffic uses
transparent voice settings. The lookup currently indexes alts[] with
data->sco_num - 1 without first constraining sco_num to the number of
available table entries.

While the table only defines alternate settings for up to three SCO
links, data->sco_num comes from hci_conn_num() and is used directly.
Cap the lookup to the last table entry before indexing it so the
driver keeps selecting the highest supported alternate setting without
reading past alts[].
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential kernel crash due to out‑of‑bounds array indexing in the btusb driver
Action: Apply Patch
AI Analysis

Impact

The btusb driver maps active SCO links to USB alternate settings through a lookup table that only supports up to three links. The code indexes this table using data->sco_num - 1, and data->sco_num is obtained from hci_conn_num() without being bounded to the table size. Because the table contains only three entries, an unbounded index can read past the end of the array, which may lead to incorrect memory reads and potentially cause the kernel to crash. The description does not indicate any information disclosure beyond a possible kernel failure.

Affected Systems

All Linux kernels that ship the buggy btusb driver are affected. The CVE references include Linux kernel 5.8 and all 7.0 release candidates (rc1‑rc7). Any Linux kernel build that includes the unpatched btusb implementation is susceptible.

Risk and Exploitability

The CVSS score is 5.5, and the EPSS score is less than 1%, indicating a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The missing bounds check can be triggered by an attacker that initiates multiple SCO links over Bluetooth. While the description only mentions the out‑of‑bounds access, it is inferred that a malicious actor could cause kernel instability by exploiting the unchecked index.

Generated by OpenCVE AI on April 29, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official kernel update that contains the btusb patch from your distribution’s security advisory.
  • If an immediate update is not possible, unload the btusb module to prevent it from loading.
  • Disable Bluetooth services that accept incoming connections until the driver is updated.
  • Restrict pairing to trusted devices or limit the number of simultaneous SCO links to avoid exceeding the table size.

Generated by OpenCVE AI on April 29, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 29 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Tue, 28 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:5.8:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: clamp SCO altsetting table indices btusb_work() maps the number of active SCO links to USB alternate settings through a three-entry lookup table when CVSD traffic uses transparent voice settings. The lookup currently indexes alts[] with data->sco_num - 1 without first constraining sco_num to the number of available table entries. While the table only defines alternate settings for up to three SCO links, data->sco_num comes from hci_conn_num() and is used directly. Cap the lookup to the last table entry before indexing it so the driver keeps selecting the highest supported alternate setting without reading past alts[].
Title Bluetooth: btusb: clamp SCO altsetting table indices
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:53.017Z

Reserved: 2026-03-09T15:48:24.102Z

Link: CVE-2026-31497

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:47.857

Modified: 2026-04-28T14:42:28.750

Link: CVE-2026-31497

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31497 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:30:07Z

Weaknesses