CVE-2026-31497 - Vulnerability Details

- Bluetooth: btusb: clamp SCO altsetting table indices

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btusb: clamp SCO altsetting table indices

btusb_work() maps the number of active SCO links to USB alternate
settings through a three-entry lookup table when CVSD traffic uses
transparent voice settings. The lookup currently indexes alts[] with
data->sco_num - 1 without first constraining sco_num to the number of
available table entries.

While the table only defines alternate settings for up to three SCO
links, data->sco_num comes from hci_conn_num() and is used directly.
Cap the lookup to the last table entry before indexing it so the
driver keeps selecting the highest supported alternate setting without
reading past alts[].

Published: 2026-04-22

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel Bluetooth driver btusb maps active SCO links to USB alternate settings via a small lookup table. When the number of active SCO links exceeds the size of that table, the code indexes beyond the array bounds without validation. This can lead to incorrect memory reads or, if an attacker supplies specially crafted input, a crash of the kernel, potentially allowing information disclosure or denial of service.

Affected Systems

All Linux kernel variants that ship the buggy btusb driver are affected. The problem exists before the patch was released; no specific version list is provided.

Risk and Exploitability

The advisory does not provide a CVSS score or EPSS value, but the lack of bounds checks makes the bug stable and exploitable. The likely attack vector is remote via Bluetooth: an attacker can connect a rogue device that initiates many SCO links to trigger the fault. The resulting kernel crash would render the system unavailable and could expose kernel memory contents.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`baac6276c0a9f36f1fe1f00590ef00d2ba5ba626`	affected	< 312c4450fe23014665c163f480edd5ad2e27bbb8
`baac6276c0a9f36f1fe1f00590ef00d2ba5ba626`	affected	< 9dd13a8641de79bc1bc93da55cdd35259a002683
`baac6276c0a9f36f1fe1f00590ef00d2ba5ba626`	affected	< 476c9262b430c38c6a701a3b8176a3f48689085b
`baac6276c0a9f36f1fe1f00590ef00d2ba5ba626`	affected	< 6fba3c3d48c927e55611a0f5ea34da88138ed0ff
`baac6276c0a9f36f1fe1f00590ef00d2ba5ba626`	affected	< 834cf890d2c3d29cbfa1ee2376c40469c28ec297
`baac6276c0a9f36f1fe1f00590ef00d2ba5ba626`	affected	< 1019028eb124564cf7bca58a16f1df8a1ca30726
`baac6276c0a9f36f1fe1f00590ef00d2ba5ba626`	affected	< 21c254202f9d78abe0fcd642a92966deb92bd226
`baac6276c0a9f36f1fe1f00590ef00d2ba5ba626`	affected	< 129fa608b6ad08b8ab7178eeb2ec272c993aaccc

Linux

affected

Version	Status	Constraints
`5.8`	affected	—
`0`	unaffected	< 5.8
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.131`	unaffected	≤ 6.6.*
`6.12.80`	unaffected	≤ 6.12.*
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,312c4450fe23014665c163f480edd5ad2e27bbb8)`	affected	code_commit	—
`[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,9dd13a8641de79bc1bc93da55cdd35259a002683)`	affected	code_commit	—
`[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,476c9262b430c38c6a701a3b8176a3f48689085b)`	affected	code_commit	—
`[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,6fba3c3d48c927e55611a0f5ea34da88138ed0ff)`	affected	code_commit	—
`[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,834cf890d2c3d29cbfa1ee2376c40469c28ec297)`	affected	code_commit	—
`[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,1019028eb124564cf7bca58a16f1df8a1ca30726)`	affected	code_commit	—
`[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,21c254202f9d78abe0fcd642a92966deb92bd226)`	affected	code_commit	—
`[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,129fa608b6ad08b8ab7178eeb2ec272c993aaccc)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.8`	affected	generic	—
`[0,5.8)`	unaffected	generic	—
`[5.10.253,6.0.0)`	unaffected	semver	—
`[5.15.203,6.0.0)`	unaffected	semver	—
`[6.1.168,7.0.0)`	unaffected	semver	—
`[6.6.131,7.0.0)`	unaffected	semver	—
`[6.12.80,7.0.0)`	unaffected	semver	—
`[6.18.21,7.0.0)`	unaffected	semver	—
`[6.19.11,7.0.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check your distribution’s security advisories and install the latest Linux kernel update that contains the btusb patch.
If a kernel update cannot be applied immediately, disable platform Bluetooth services or unload the btusb module to prevent the vulnerability from being exercised.
Configure the system to block or limit creation of SCO links while using a patched kernel to reduce the risk of accidental overflow from legitimate devices.

Generated by OpenCVE AI on April 22, 2026 at 18:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1019028eb124564cf7bca58a16f1df8a1ca30726
https://git.kernel.org/stable/c/129fa608b6ad08b8ab7178eeb2ec272c993aaccc
https://git.kernel.org/stable/c/21c254202f9d78abe0fcd642a92966deb92bd226
https://git.kernel.org/stable/c/312c4450fe23014665c163f480edd5ad2e27bbb8
https://git.kernel.org/stable/c/476c9262b430c38c6a701a3b8176a3f48689085b
https://git.kernel.org/stable/c/6fba3c3d48c927e55611a0f5ea34da88138ed0ff
https://git.kernel.org/stable/c/834cf890d2c3d29cbfa1ee2376c40469c28ec297
https://git.kernel.org/stable/c/9dd13a8641de79bc1bc93da55cdd35259a002683
https://lore.kernel.org/linux-cve-announce/2026042203-CVE-2026-31497-f54a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31497
https://www.cve.org/CVERecord?id=CVE-2026-31497

History

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1285
References		https://lore.kernel.org/linux-cve-announce/2026042203-CVE-2026-31497-f54a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31497 https://www.cve.org/CVERecord?id=CVE-2026-31497
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 22 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-122

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: clamp SCO altsetting table indices btusb_work() maps the number of active SCO links to USB alternate settings through a three-entry lookup table when CVSD traffic uses transparent voice settings. The lookup currently indexes alts[] with data->sco_num - 1 without first constraining sco_num to the number of available table entries. While the table only defines alternate settings for up to three SCO links, data->sco_num comes from hci_conn_num() and is used directly. Cap the lookup to the last table entry before indexing it so the driver keeps selecting the highest supported alternate setting without reading past alts[].
Title		Bluetooth: btusb: clamp SCO altsetting table indices
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1019028eb124564cf7bca58a16f1df8a1ca30726 https://git.kernel.org/stable/c/129fa608b6ad08b8ab7178eeb2ec272c993aaccc https://git.kernel.org/stable/c/21c254202f9d78abe0fcd642a92966deb92bd226 https://git.kernel.org/stable/c/312c4450fe23014665c163f480edd5ad2e27bbb8 https://git.kernel.org/stable/c/476c9262b430c38c6a701a3b8176a3f48689085b https://git.kernel.org/stable/c/6fba3c3d48c927e55611a0f5ea34da88138ed0ff https://git.kernel.org/stable/c/834cf890d2c3d29cbfa1ee2376c40469c28ec297 https://git.kernel.org/stable/c/9dd13a8641de79bc1bc93da55cdd35259a002683

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:54:19.051Z

Updated: 2026-04-22T13:54:19.051Z

Reserved: 2026-03-09T15:48:24.102Z

Link: CVE-2026-31497

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-22T14:16:47.857

Modified: 2026-04-22T14:16:47.857

Link: CVE-2026-31497

Redhat

Severity : Low

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31497 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T19:45:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object