Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req

Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd()
that is triggered by a malformed Enhanced Credit Based Connection Request.

The vulnerability stems from l2cap_ecred_conn_req(). The function allocates
a local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel
IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more
than 5 SCIDs, the function calculates `rsp_len` based on this unvalidated
`cmd_len` before checking if the number of SCIDs exceeds
L2CAP_ECRED_MAX_CID.

If the SCID count is too high, the function correctly jumps to the
`response` label to reject the packet, but `rsp_len` retains the
attacker's oversized value. Consequently, l2cap_send_cmd() is instructed
to read past the end of the 18-byte `pdu` buffer, triggering a
KASAN panic.

Fix this by moving the assignment of `rsp_len` to after the `num_scid`
boundary check. If the packet is rejected, `rsp_len` will safely
remain 0, and the error response will only read the 8-byte base header
from the stack.
Published: 2026-04-22
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A malformed Enhanced Credit Based Connection Request can cause the Linux kernel Bluetooth L2CAP stack to read past a 18‑byte stack buffer. The resulting out‑of‑bounds read triggers a KASAN panic, causing the kernel to crash. While this does not provide code execution, it can bring the system down entirely, leading to a denial of service.

Affected Systems

The vulnerability affects the Linux kernel’s Bluetooth L2CAP implementation. All kernel releases containing the original l2cap_ecred_conn_req code are potentially impacted until the patch that moves rsp_len assignment past the boundary check is deployed.

Risk and Exploitability

The exploit requires an attacker to send a specially crafted Bluetooth packet that requests more than five Source Channel IDs. The attack vector is inferred to be over the Bluetooth interface, allowing remote or local actors to trigger the crash. No official KEV listing or EPSS score is available, and no CVSS score is provided in the data. Nevertheless, the vulnerability can be triggered by remote devices in proximity, potentially making it feasible for attackers to cause service disruption on affected hosts.

Generated by OpenCVE AI on April 22, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the latest l2cap_ecred_conn_req fix.
  • Rebuild and install any Bluetooth modules to ensure they are linked with the patched kernel.
  • If a patch cannot be applied immediately, disable the Bluetooth service or block L2CAP traffic on the network to prevent malformed requests from reaching the host.

Generated by OpenCVE AI on April 22, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd() that is triggered by a malformed Enhanced Credit Based Connection Request. The vulnerability stems from l2cap_ecred_conn_req(). The function allocates a local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more than 5 SCIDs, the function calculates `rsp_len` based on this unvalidated `cmd_len` before checking if the number of SCIDs exceeds L2CAP_ECRED_MAX_CID. If the SCID count is too high, the function correctly jumps to the `response` label to reject the packet, but `rsp_len` retains the attacker's oversized value. Consequently, l2cap_send_cmd() is instructed to read past the end of the 18-byte `pdu` buffer, triggering a KASAN panic. Fix this by moving the assignment of `rsp_len` to after the `num_scid` boundary check. If the packet is rejected, `rsp_len` will safely remain 0, and the error response will only read the 8-byte base header from the stack.
Title Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-22T13:54:30.835Z

Reserved: 2026-03-09T15:48:24.107Z

Link: CVE-2026-31513

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T14:16:50.673

Modified: 2026-04-22T14:16:50.673

Link: CVE-2026-31513

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31513 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:45:25Z

Weaknesses