{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31393", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.085Z", "datePublished": "2026-04-03T15:15:58.142Z", "dateUpdated": "2026-04-03T15:15:58.142Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:58.142Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access\n\nl2cap_information_rsp() checks that cmd_len covers the fixed\nl2cap_info_rsp header (type + result, 4 bytes) but then reads\nrsp->data without verifying that the payload is present:\n\n - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads\n 4 bytes past the header (needs cmd_len >= 8).\n\n - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header\n (needs cmd_len >= 5).\n\nA truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an\nout-of-bounds read of adjacent skb data.\n\nGuard each data access with the required payload length check. If the\npayload is too short, skip the read and let the state machine complete\nwith safe defaults (feat_mask and remote_fixed_chan remain zero from\nkzalloc), so the info timer cleanup and l2cap_conn_start() still run\nand the connection is not stalled."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "4e8402a3f884427f9233ba436459c158d1f2e114", "lessThan": "3b646516cba2ebc4b51a72954903326e7c1e443f", "status": "affected", "versionType": "git"}, {"version": "4e8402a3f884427f9233ba436459c158d1f2e114", "lessThan": "807bd1258453c4c83f6ae9dbc1e7b44860ff40d0", "status": "affected", "versionType": "git"}, {"version": "4e8402a3f884427f9233ba436459c158d1f2e114", "lessThan": "9aeacde4da0f02d42fd968fd32f245828b230171", "status": "affected", "versionType": "git"}, {"version": "4e8402a3f884427f9233ba436459c158d1f2e114", "lessThan": "e7ff754e339e3d5ce29aa9f95352d0186df8fbd9", "status": "affected", "versionType": "git"}, {"version": "4e8402a3f884427f9233ba436459c158d1f2e114", "lessThan": "db2872d054e467810078e2b9f440a5b326a601b2", "status": "affected", "versionType": "git"}, {"version": "4e8402a3f884427f9233ba436459c158d1f2e114", "lessThan": "dd815e6e3918dc75a49aaabac36e4f024d675101", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "2.6.24", "status": "affected"}, {"version": "0", "lessThan": "2.6.24", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3b646516cba2ebc4b51a72954903326e7c1e443f"}, {"url": "https://git.kernel.org/stable/c/807bd1258453c4c83f6ae9dbc1e7b44860ff40d0"}, {"url": "https://git.kernel.org/stable/c/9aeacde4da0f02d42fd968fd32f245828b230171"}, {"url": "https://git.kernel.org/stable/c/e7ff754e339e3d5ce29aa9f95352d0186df8fbd9"}, {"url": "https://git.kernel.org/stable/c/db2872d054e467810078e2b9f440a5b326a601b2"}, {"url": "https://git.kernel.org/stable/c/dd815e6e3918dc75a49aaabac36e4f024d675101"}], "title": "Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access\n\nl2cap_information_rsp() checks that cmd_len covers the fixed\nl2cap_info_rsp header (type + result, 4 bytes) but then reads\nrsp->data without verifying that the payload is present:\n\n - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads\n 4 bytes past the header (needs cmd_len >= 8).\n\n - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header\n (needs cmd_len >= 5).\n\nA truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an\nout-of-bounds read of adjacent skb data.\n\nGuard each data access with the required payload length check. If the\npayload is too short, skip the read and let the state machine complete\nwith safe defaults (feat_mask and remote_fixed_chan remain zero from\nkzalloc), so the info timer cleanup and l2cap_conn_start() still run\nand the connection is not stalled."}], "id": "CVE-2026-31393", "lastModified": "2026-04-03T16:16:37.420", "metrics": {}, "published": "2026-04-03T16:16:37.420", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3b646516cba2ebc4b51a72954903326e7c1e443f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/807bd1258453c4c83f6ae9dbc1e7b44860ff40d0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9aeacde4da0f02d42fd968fd32f245828b230171"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/db2872d054e467810078e2b9f440a5b326a601b2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dd815e6e3918dc75a49aaabac36e4f024d675101"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e7ff754e339e3d5ce29aa9f95352d0186df8fbd9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4e8402a3f884427f9233ba436459c158d1f2e114,3b646516cba2ebc4b51a72954903326e7c1e443f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4e8402a3f884427f9233ba436459c158d1f2e114,807bd1258453c4c83f6ae9dbc1e7b44860ff40d0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4e8402a3f884427f9233ba436459c158d1f2e114,9aeacde4da0f02d42fd968fd32f245828b230171)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4e8402a3f884427f9233ba436459c158d1f2e114,e7ff754e339e3d5ce29aa9f95352d0186df8fbd9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4e8402a3f884427f9233ba436459c158d1f2e114,db2872d054e467810078e2b9f440a5b326a601b2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4e8402a3f884427f9233ba436459c158d1f2e114,dd815e6e3918dc75a49aaabac36e4f024d675101)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.24"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.24)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T18:38:19.381725+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel patch that adds the payload length check for L2CAP_INFO_RSP", "If using an older kernel, upgrade to a version that includes the fix referenced in the provided commit logs", "If immediate patching is not possible, disable or restrict Bluetooth services on the host", "Verify that no unnecessary L2CAP services are exposed to untrusted devices"], "summary": {"action": "Apply Patch", "impact": "Out-of-Bounds Read"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the Linux kernel code that implements Bluetooth L2CAP support. All distributions that include a Linux kernel version prior to the commit that added the payload length check are affected. No specific version list is provided, but the issue is fixed by the patch referenced in the supplied commit URLs.", "description_and_impact": "In the Linux kernel, a flaw in the L2CAP layer causes the kernel to read memory beyond the bounds of a received L2CAP_INFO_RSP packet when the payload length is insufficient. The implementation only checks the command header size, but then accesses fields in the payload without validating that the required bytes are present. When an attacker sends a truncated packet with a success result, the kernel performs an out\u2011of\u2011bounds read of the surrounding skb data. This may expose kernel memory contents or other private data, or potentially lead to a crash. The weakness corresponds to an unchecked array bounds read (CWE\u2011788).", "risk_and_exploitability": "The CVSS score is not supplied, and public exploitation data is not available. Exploitation would require an attacker to communicate with the target device over Bluetooth and send a crafted L2CAP_INFO_RSP request. This limits the threat to nearby or connected devices in which Bluetooth is enabled. Because the vulnerability leads only to a read, the likelihood of a successful leak or crash depends on the kernel\u2019s memory layout and the presence of sensitive data adjacent to the buffer. Overall risk is considered moderate, and the priority should be addressed through timely kernel upgrades."}}}}, "created": "2026-04-03T21:13:20.015669+00:00", "updated": "2026-04-03T21:15:33.979272+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-788"]}