CVE-2026-31510 - Vulnerability Details

- Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb

Before using sk pointer, check if it is null.

Fix the following:

KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267]
CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025
Workqueue: events l2cap_info_timeout
RIP: 0010:kasan_byte_accessible+0x12/0x30
Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce
veth0_macvtap: entered promiscuous mode
RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001
RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000
R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005582615a5008 CR3: 000000007007e000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
__kasan_check_byte+0x12/0x40
lock_acquire+0x79/0x2e0
lock_sock_nested+0x48/0x100
? l2cap_sock_ready_cb+0x46/0x160
l2cap_sock_ready_cb+0x46/0x160
l2cap_conn_start+0x779/0xff0
? __pfx_l2cap_conn_start+0x10/0x10
? l2cap_info_timeout+0x60/0xa0
? __pfx___mutex_lock+0x10/0x10
l2cap_info_timeout+0x68/0xa0
? process_scheduled_works+0xa8d/0x18c0
process_scheduled_works+0xb6e/0x18c0
? __pfx_process_scheduled_works+0x10/0x10
? assign_work+0x3d5/0x5e0
worker_thread+0xa53/0xfc0
kthread+0x388/0x470
? __pfx_worker_thread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x51e/0xb90
? __pfx_ret_from_fork+0x10/0x10
veth1_macvtap: entered promiscuous mode
? __switch_to+0xc7d/0x1450
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
batman_adv: batadv0: Interface activated: batadv_slave_0
batman_adv: batadv0: Interface activated: batadv_slave_1
netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
RIP: 0010:kasan_byte_accessible+0x12/0x30
Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce
ieee80211 phy39: Selected rate control algorithm 'minstrel_ht'
RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001
RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000
R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7e16139e9c CR3: 000000000e74e000 CR4: 0000000000752ef0
PKRU: 55555554
Kernel panic - not syncing: Fatal exception

Published: 2026-04-22

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A null pointer dereference in the Linux kernel Bluetooth L2CAP stack causes a KASAN error and triggers a kernel panic, leading to an immediate system reboot. The flaw is a classic CWE‑476 problem that can crash the machine without any user‑level privilege escalation. The vulnerability’s CVSS base score of 5.5 reflects medium severity, but because the crash renders the system unavailable, the practical impact is a denial‑of‑service to all users of the affected host.

Affected Systems

The vulnerable component is the Bluetooth L2CAP subsystem of the Linux kernel. The patch that introduces a null‑check was merged into kernel release 7.0.0‑rc4, so any kernel revision prior to that or that does not contain the patch is potentially vulnerable. All distributions that ship unmodified or early 7.0.0 kernels are at risk, and the lack of explicit version ranges in the advisory means a broad set of systems can be affected.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity rating, and the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could trigger the crash by sending specially crafted L2CAP packets over Bluetooth or by interacting with a vulnerable Bluetooth driver from local code. The impact is a system‑wide denial of service, but no privilege escalation is mentioned in the advisory.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`54a59aa2b562872781d6a8fc89f300d360941691`	affected	< d34776c7fa1f2c510f1cdd14823aba701babb4ad
`54a59aa2b562872781d6a8fc89f300d360941691`	affected	< 03d4eafb0f3788239df63575951f6b4c97bbfda4
`54a59aa2b562872781d6a8fc89f300d360941691`	affected	< 3c821bc0fbeaa27910a20d0b43c6008d099792af
`54a59aa2b562872781d6a8fc89f300d360941691`	affected	< a04a760c06bb591989db659439efdf106f0bae76
`54a59aa2b562872781d6a8fc89f300d360941691`	affected	< 0780f9333852971ca77d110019e3a66ce5a7b100
`54a59aa2b562872781d6a8fc89f300d360941691`	affected	< 1dc6db047919ecd59493cd51248b37381bbabcbb
`54a59aa2b562872781d6a8fc89f300d360941691`	affected	< 898b89c90ff9496e64b9331040778cc4e1b28c9d
`54a59aa2b562872781d6a8fc89f300d360941691`	affected	< b6552e0503973daf6f23bd6ed9273ef131ee364f

Linux

affected

Version	Status	Constraints
`3.6`	affected	—
`0`	unaffected	< 3.6
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.131`	unaffected	≤ 6.6.*
`6.12.80`	unaffected	≤ 6.12.*
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:3.6:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[54a59aa2b562872781d6a8fc89f300d360941691,d34776c7fa1f2c510f1cdd14823aba701babb4ad)`	affected	code_commit	—
`[54a59aa2b562872781d6a8fc89f300d360941691,03d4eafb0f3788239df63575951f6b4c97bbfda4)`	affected	code_commit	—
`[54a59aa2b562872781d6a8fc89f300d360941691,3c821bc0fbeaa27910a20d0b43c6008d099792af)`	affected	code_commit	—
`[54a59aa2b562872781d6a8fc89f300d360941691,a04a760c06bb591989db659439efdf106f0bae76)`	affected	code_commit	—
`[54a59aa2b562872781d6a8fc89f300d360941691,0780f9333852971ca77d110019e3a66ce5a7b100)`	affected	code_commit	—
`[54a59aa2b562872781d6a8fc89f300d360941691,1dc6db047919ecd59493cd51248b37381bbabcbb)`	affected	code_commit	—
`[54a59aa2b562872781d6a8fc89f300d360941691,898b89c90ff9496e64b9331040778cc4e1b28c9d)`	affected	code_commit	—
`[54a59aa2b562872781d6a8fc89f300d360941691,b6552e0503973daf6f23bd6ed9273ef131ee364f)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.6`	affected	generic	—
`[0,3.6)`	unaffected	generic	—
`[5.10.253,5.10.*]`	unaffected	generic	—
`[5.15.203,5.15.*]`	unaffected	generic	—
`[6.1.168,6.1.*]`	unaffected	generic	—
`[6.6.131,6.6.*]`	unaffected	generic	—
`[6.12.80,6.12.*]`	unaffected	generic	—
`[6.18.21,6.18.*]`	unaffected	generic	—
`[6.19.11,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a release that includes the L2CAP null‑pointer fix, such as Linux 7.0.0‑rc5 or later, then reboot.
If an update is not yet available, disable Bluetooth services or unload the l2cap module to prevent the vulnerable code from executing.
Continuously monitor system logs for KASAN or kernel panic events to detect ongoing exploitation.

Generated by OpenCVE AI on April 29, 2026 at 00:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/03d4eafb0f3788239df63575951f6b4c97bbfda4
https://git.kernel.org/stable/c/0780f9333852971ca77d110019e3a66ce5a7b100
https://git.kernel.org/stable/c/1dc6db047919ecd59493cd51248b37381bbabcbb
https://git.kernel.org/stable/c/3c821bc0fbeaa27910a20d0b43c6008d099792af
https://git.kernel.org/stable/c/898b89c90ff9496e64b9331040778cc4e1b28c9d
https://git.kernel.org/stable/c/a04a760c06bb591989db659439efdf106f0bae76
https://git.kernel.org/stable/c/b6552e0503973daf6f23bd6ed9273ef131ee364f
https://git.kernel.org/stable/c/d34776c7fa1f2c510f1cdd14823aba701babb4ad
https://lore.kernel.org/linux-cve-announce/2026042208-CVE-2026-31510-1c90@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31510
https://www.cve.org/CVERecord?id=CVE-2026-31510

History

Tue, 28 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel:3.6:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
References		https://lore.kernel.org/linux-cve-announce/2026042208-CVE-2026-31510-1c90@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31510 https://www.cve.org/CVERecord?id=CVE-2026-31510
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb Before using sk pointer, check if it is null. Fix the following: KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267] CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025 Workqueue: events l2cap_info_timeout RIP: 0010:kasan_byte_accessible+0x12/0x30 Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce veth0_macvtap: entered promiscuous mode RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001 RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000 R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005582615a5008 CR3: 000000007007e000 CR4: 0000000000752ef0 PKRU: 55555554 Call Trace: <TASK> __kasan_check_byte+0x12/0x40 lock_acquire+0x79/0x2e0 lock_sock_nested+0x48/0x100 ? l2cap_sock_ready_cb+0x46/0x160 l2cap_sock_ready_cb+0x46/0x160 l2cap_conn_start+0x779/0xff0 ? __pfx_l2cap_conn_start+0x10/0x10 ? l2cap_info_timeout+0x60/0xa0 ? __pfx___mutex_lock+0x10/0x10 l2cap_info_timeout+0x68/0xa0 ? process_scheduled_works+0xa8d/0x18c0 process_scheduled_works+0xb6e/0x18c0 ? __pfx_process_scheduled_works+0x10/0x10 ? assign_work+0x3d5/0x5e0 worker_thread+0xa53/0xfc0 kthread+0x388/0x470 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x51e/0xb90 ? __pfx_ret_from_fork+0x10/0x10 veth1_macvtap: entered promiscuous mode ? __switch_to+0xc7d/0x1450 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- batman_adv: batadv0: Interface activated: batadv_slave_0 batman_adv: batadv0: Interface activated: batadv_slave_1 netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 RIP: 0010:kasan_byte_accessible+0x12/0x30 Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce ieee80211 phy39: Selected rate control algorithm 'minstrel_ht' RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001 RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000 R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7e16139e9c CR3: 000000000e74e000 CR4: 0000000000752ef0 PKRU: 55555554 Kernel panic - not syncing: Fatal exception
Title		Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/03d4eafb0f3788239df63575951f6b4c97bbfda4 https://git.kernel.org/stable/c/0780f9333852971ca77d110019e3a66ce5a7b100 https://git.kernel.org/stable/c/1dc6db047919ecd59493cd51248b37381bbabcbb https://git.kernel.org/stable/c/3c821bc0fbeaa27910a20d0b43c6008d099792af https://git.kernel.org/stable/c/898b89c90ff9496e64b9331040778cc4e1b28c9d https://git.kernel.org/stable/c/a04a760c06bb591989db659439efdf106f0bae76 https://git.kernel.org/stable/c/b6552e0503973daf6f23bd6ed9273ef131ee364f https://git.kernel.org/stable/c/d34776c7fa1f2c510f1cdd14823aba701babb4ad

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:54:28.712Z

Updated: 2026-05-11T22:10:11.263Z

Reserved: 2026-03-09T15:48:24.106Z

Link: CVE-2026-31510

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-22T14:16:50.130

Modified: 2026-04-28T15:01:35.440

Link: CVE-2026-31510

Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31510 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T00:15:43Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object