Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: move wake reason storage into validated event handlers

hci_store_wake_reason() is called from hci_event_packet() immediately
after stripping the HCI event header but before hci_event_func()
enforces the per-event minimum payload length from hci_ev_table.
This means a short HCI event frame can reach bacpy() before any bounds
check runs.

Rather than duplicating skb parsing and per-event length checks inside
hci_store_wake_reason(), move wake-address storage into the individual
event handlers after their existing event-length validation has
succeeded. Convert hci_store_wake_reason() into a small helper that only
stores an already-validated bdaddr while the caller holds hci_dev_lock().
Use the same helper after hci_event_func() with a NULL address to
preserve the existing unexpected-wake fallback semantics when no
validated event handler records a wake address.

Annotate the helper with __must_hold(&hdev->lock) and add
lockdep_assert_held(&hdev->lock) so future call paths keep the lock
contract explicit.

Call the helper from hci_conn_request_evt(), hci_conn_complete_evt(),
hci_sync_conn_complete_evt(), le_conn_complete_evt(),
hci_le_adv_report_evt(), hci_le_ext_adv_report_evt(),
hci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and
hci_le_past_received_evt().
Published: 2026-05-01
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel Bluetooth stack, a short HCI event packet can be processed by hci_store_wake_reason() before the per-event minimum payload length is verified, allowing the bacpy() function to operate on unvalidated data. This missing buffer bounds check can lead to memory corruption, potentially allowing an attacker to trigger a crash or influence kernel state during Bluetooth communication.

Affected Systems

The flaw exists in all Linux kernel builds that include the legacy Bluetooth HCI event handling code. The affected components are the generic Linux kernel and its Bluetooth driver modules. No specific vendor or version information is listed beyond the Linux kernel itself, so any distribution that has not yet applied the recent patch revision is considered vulnerable.

Risk and Exploitability

The CVSS score is 7.0, and EPSS is unavailable; however, because the vulnerability requires the delivery of crafted HCI event packets, it is best‑effort remote via Bluetooth. If an attacker can inject such packets, the memory corruption may lead to a denial‑of‑service condition or, in the worst case, elevate privileges. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been observed yet, but the lack of bounds checking inherently increases the risk of destabilization of the kernel.

Generated by OpenCVE AI on May 2, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to the latest stable release that incorporates the patch defined in commits 2b2bf47cd75518c36fa2d41380e4a40641cc89cd and 86c8d07a64d553c41e213b52650020010f9ef23e.
  • If an immediate kernel upgrade is not feasible, disable the Bluetooth driver or block Bluetooth traffic from untrusted devices to prevent malicious HCI packets from reaching the kernel.
  • Configure the system to allow Bluetooth connections only from trusted devices by setting an ACL or using a host‑based firewall to filter HCI packets, thereby reducing the risk of malformed packets reaching the kernel.

Generated by OpenCVE AI on May 2, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: move wake reason storage into validated event handlers hci_store_wake_reason() is called from hci_event_packet() immediately after stripping the HCI event header but before hci_event_func() enforces the per-event minimum payload length from hci_ev_table. This means a short HCI event frame can reach bacpy() before any bounds check runs. Rather than duplicating skb parsing and per-event length checks inside hci_store_wake_reason(), move wake-address storage into the individual event handlers after their existing event-length validation has succeeded. Convert hci_store_wake_reason() into a small helper that only stores an already-validated bdaddr while the caller holds hci_dev_lock(). Use the same helper after hci_event_func() with a NULL address to preserve the existing unexpected-wake fallback semantics when no validated event handler records a wake address. Annotate the helper with __must_hold(&hdev->lock) and add lockdep_assert_held(&hdev->lock) so future call paths keep the lock contract explicit. Call the helper from hci_conn_request_evt(), hci_conn_complete_evt(), hci_sync_conn_complete_evt(), le_conn_complete_evt(), hci_le_adv_report_evt(), hci_le_ext_adv_report_evt(), hci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and hci_le_past_received_evt().
Title Bluetooth: hci_event: move wake reason storage into validated event handlers
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:14:59.918Z

Reserved: 2026-03-09T15:48:24.140Z

Link: CVE-2026-31771

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:40.337

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31771

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31771 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:30:36Z

Weaknesses