CVE-2026-31512 - Vulnerability Details

- Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()

l2cap_ecred_data_rcv() reads the SDU length field from skb->data using
get_unaligned_le16() without first verifying that skb contains at least
L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads
past the valid data in the skb.

The ERTM reassembly path correctly calls pskb_may_pull() before reading
the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the
same validation to the Enhanced Credit Based Flow Control data path.

Published: 2026-04-22

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The kernel Bluetooth L2CAP implementation fails to validate the length of an incoming protocol data unit before reading the service data unit length. The routine l2cap_ecred_data_rcv() extracts a 16‑bit length field from the packet buffer without confirming that the buffer contains at least two bytes, which can cause an out‑of‑bounds read of kernel memory. This defect could leak sensitive kernel data to an attacker or trigger an exception that may lead to a crash. The weakness is a classic buffer over‑read (CWE‑125).

Affected Systems

Any Linux system whose kernel builds include the Bluetooth L2CAP stack is potentially affected. The patch has been merged into the main Linux kernel tree, but specific affected kernel releases are not listed in the advisory.

Risk and Exploitability

The advisory does not provide a CVSS score or EPSS value, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through a Bluetooth connection that can supply crafted L2CAP frames, so an attacker does not need local privileges. Because the flaw allows only a memory read, exploitation may lead to information disclosure or a denial‑of‑service via a crash, making it a serious risk for systems that accept untrusted Bluetooth traffic. The absence of a known exploit does not reduce the need to patch, as the vulnerability’s existence alone poses a potential information‑leak risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`aac23bf636593cc2d67144aed373a46a1a5f76b1`	affected	< cef09691cfb61f6c91cc27c3d69634f81c8ab949
`aac23bf636593cc2d67144aed373a46a1a5f76b1`	affected	< 3340be2bafdcc806f048273ea6d8e82a6597aa1b
`aac23bf636593cc2d67144aed373a46a1a5f76b1`	affected	< e47315b84d0eb188772c3ff5cf073cdbdefca6b4
`aac23bf636593cc2d67144aed373a46a1a5f76b1`	affected	< 477ad4976072056c348937e94f24583321938df4
`aac23bf636593cc2d67144aed373a46a1a5f76b1`	affected	< 40c7f7eea2f4d9cb0b3e924254c8c9053372168f
`aac23bf636593cc2d67144aed373a46a1a5f76b1`	affected	< 8c96f3bd4ae0802db90630be8e9851827e9c9209
`aac23bf636593cc2d67144aed373a46a1a5f76b1`	affected	< 5ad981249be52f5e4e92e0e97b436b569071cb86
`aac23bf636593cc2d67144aed373a46a1a5f76b1`	affected	< c65bd945d1c08c3db756821b6bf9f1c4a77b29c6

Linux

affected

Version	Status	Constraints
`3.14`	affected	—
`0`	unaffected	< 3.14
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.131`	unaffected	≤ 6.6.*
`6.12.80`	unaffected	≤ 6.12.*
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[aac23bf636593cc2d67144aed373a46a1a5f76b1,cef09691cfb61f6c91cc27c3d69634f81c8ab949)`	affected	code_commit	—
`[aac23bf636593cc2d67144aed373a46a1a5f76b1,3340be2bafdcc806f048273ea6d8e82a6597aa1b)`	affected	code_commit	—
`[aac23bf636593cc2d67144aed373a46a1a5f76b1,e47315b84d0eb188772c3ff5cf073cdbdefca6b4)`	affected	code_commit	—
`[aac23bf636593cc2d67144aed373a46a1a5f76b1,477ad4976072056c348937e94f24583321938df4)`	affected	code_commit	—
`[aac23bf636593cc2d67144aed373a46a1a5f76b1,40c7f7eea2f4d9cb0b3e924254c8c9053372168f)`	affected	code_commit	—
`[aac23bf636593cc2d67144aed373a46a1a5f76b1,8c96f3bd4ae0802db90630be8e9851827e9c9209)`	affected	code_commit	—
`[aac23bf636593cc2d67144aed373a46a1a5f76b1,5ad981249be52f5e92e0e97b436b569071cb86)`	affected	code_commit	—
`[aac23bf636593cc2d67144aed373a46a1a5f76b1,c65bd945d1c08c3db756821b6bf9f1c4a77b29c6)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.14`	affected	generic	—
`[0,3.14)`	unaffected	generic	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.131,6.7.0)`	unaffected	semver	—
`[6.12.80,6.13.0)`	unaffected	semver	—
`[6.18.21,6.19.0)`	unaffected	semver	—
`[6.19.11,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the l2cap_ecred_data_rcv() patch.
Restart the Bluetooth service or reboot the system so the updated kernel is active.
If an immediate kernel update is not possible, temporarily disable the Bluetooth service or block L2CAP traffic until the patch can be applied.

Generated by OpenCVE AI on April 22, 2026 at 18:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3340be2bafdcc806f048273ea6d8e82a6597aa1b
https://git.kernel.org/stable/c/40c7f7eea2f4d9cb0b3e924254c8c9053372168f
https://git.kernel.org/stable/c/477ad4976072056c348937e94f24583321938df4
https://git.kernel.org/stable/c/5ad981249be52f5e4e92e0e97b436b569071cb86
https://git.kernel.org/stable/c/8c96f3bd4ae0802db90630be8e9851827e9c9209
https://git.kernel.org/stable/c/c65bd945d1c08c3db756821b6bf9f1c4a77b29c6
https://git.kernel.org/stable/c/cef09691cfb61f6c91cc27c3d69634f81c8ab949
https://git.kernel.org/stable/c/e47315b84d0eb188772c3ff5cf073cdbdefca6b4
https://lore.kernel.org/linux-cve-announce/2026042209-CVE-2026-31512-b386@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31512
https://www.cve.org/CVERecord?id=CVE-2026-31512

History

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1284
References		https://lore.kernel.org/linux-cve-announce/2026042209-CVE-2026-31512-b386@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31512 https://www.cve.org/CVERecord?id=CVE-2026-31512
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 22 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() l2cap_ecred_data_rcv() reads the SDU length field from skb->data using get_unaligned_le16() without first verifying that skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb. The ERTM reassembly path correctly calls pskb_may_pull() before reading the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the same validation to the Enhanced Credit Based Flow Control data path.
Title		Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3340be2bafdcc806f048273ea6d8e82a6597aa1b https://git.kernel.org/stable/c/40c7f7eea2f4d9cb0b3e924254c8c9053372168f https://git.kernel.org/stable/c/477ad4976072056c348937e94f24583321938df4 https://git.kernel.org/stable/c/5ad981249be52f5e4e92e0e97b436b569071cb86 https://git.kernel.org/stable/c/8c96f3bd4ae0802db90630be8e9851827e9c9209 https://git.kernel.org/stable/c/c65bd945d1c08c3db756821b6bf9f1c4a77b29c6 https://git.kernel.org/stable/c/cef09691cfb61f6c91cc27c3d69634f81c8ab949 https://git.kernel.org/stable/c/e47315b84d0eb188772c3ff5cf073cdbdefca6b4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:54:30.171Z

Updated: 2026-04-22T13:54:30.171Z

Reserved: 2026-03-09T15:48:24.107Z

Link: CVE-2026-31512

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:16:50.490

Modified: 2026-04-23T16:17:41.280

Link: CVE-2026-31512

Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31512 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T18:45:24Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object