Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()

l2cap_ecred_data_rcv() reads the SDU length field from skb->data using
get_unaligned_le16() without first verifying that skb contains at least
L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads
past the valid data in the skb.

The ERTM reassembly path correctly calls pskb_may_pull() before reading
the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the
same validation to the Enhanced Credit Based Flow Control data path.
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The kernel Bluetooth L2CAP implementation fails to validate the length of an incoming protocol data unit before reading the service data unit length. The routine l2cap_ecred_data_rcv() extracts a 16‑bit length field from the packet buffer without confirming that the buffer contains at least two bytes, which can cause an out‑of‑bounds read of kernel memory. This defect could leak sensitive kernel data to an attacker or trigger an exception that may lead to a crash. The weakness is a buffer over‑read (CWE‑1284) and a memory access error.

Affected Systems

Any Linux system whose kernel builds include the Bluetooth L2CAP stack is potentially affected. The patch has been merged into the main Linux kernel tree, but specific affected kernel releases are not listed in the advisory.

Risk and Exploitability

The advisory lists a CVSS score of 5.5 and an EPSS score of less than 1%, indicating a medium severity but a very low probability of exploitation at the time of this analysis. The flaw allows only a memory read; exploitation could result in information disclosure or a denial‑of‑service via a kernel crash. The likely attack vector is through a Bluetooth connection that can supply crafted L2CAP frames, and no local privileges are required. The vulnerability is not listed in the CISA KEV catalog, but the presence of a medium CVSS score and the absence of a known exploit do not diminish the need for timely patching.

Generated by OpenCVE AI on April 28, 2026 at 23:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the l2cap_ecred_data_rcv() patch.
  • Restart the Bluetooth service or reboot the system so the updated kernel is active.
  • If an immediate kernel update is not possible, temporarily disable the Bluetooth service or block L2CAP traffic until the patch can be applied.

Generated by OpenCVE AI on April 28, 2026 at 23:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:3.14:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() l2cap_ecred_data_rcv() reads the SDU length field from skb->data using get_unaligned_le16() without first verifying that skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb. The ERTM reassembly path correctly calls pskb_may_pull() before reading the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the same validation to the Enhanced Credit Based Flow Control data path.
Title Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:10:13.614Z

Reserved: 2026-03-09T15:48:24.107Z

Link: CVE-2026-31512

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:50.490

Modified: 2026-04-28T15:08:37.783

Link: CVE-2026-31512

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31512 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:00:13Z

Weaknesses