{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31513", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.107Z", "datePublished": "2026-04-22T13:54:30.835Z", "dateUpdated": "2026-04-22T13:54:30.835Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:30.835Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req\n\nSyzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd()\nthat is triggered by a malformed Enhanced Credit Based Connection Request.\n\nThe vulnerability stems from l2cap_ecred_conn_req(). The function allocates\na local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel\nIDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more\nthan 5 SCIDs, the function calculates `rsp_len` based on this unvalidated\n`cmd_len` before checking if the number of SCIDs exceeds\nL2CAP_ECRED_MAX_CID.\n\nIf the SCID count is too high, the function correctly jumps to the\n`response` label to reject the packet, but `rsp_len` retains the\nattacker's oversized value. Consequently, l2cap_send_cmd() is instructed\nto read past the end of the 18-byte `pdu` buffer, triggering a\nKASAN panic.\n\nFix this by moving the assignment of `rsp_len` to after the `num_scid`\nboundary check. If the packet is rejected, `rsp_len` will safely\nremain 0, and the error response will only read the 8-byte base header\nfrom the stack."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "935f324e4b2461df2cf7f02b4195082b4304c708", "lessThan": "c8e1a27edb8b4e5afb56b384acd7b6c2dec1b7cc", "status": "affected", "versionType": "git"}, {"version": "e981a9392800ce2c5bca196a6ab2c55e9370efaa", "lessThan": "5b35f8211a913cfe7ab9d54fa36a272d2059a588", "status": "affected", "versionType": "git"}, {"version": "f3fdf2e7276a3edc5df55454275da20eac186970", "lessThan": "a3d9c50d69785ae02e153f000da1b5fd6dbfdf1b", "status": "affected", "versionType": "git"}, {"version": "c28d2bff70444a85b3b86aaf241ece9408c7858c", "lessThan": "9d87cb22195b2c67405f5485d525190747ad5493", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "6.12.75", "lessThan": "6.12.80", "status": "affected", "versionType": "semver"}, {"version": "6.18.16", "lessThan": "6.18.21", "status": "affected", "versionType": "semver"}, {"version": "6.19.6", "lessThan": "6.19.11", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.75", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.16", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.6", "versionEndExcluding": "6.19.11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c8e1a27edb8b4e5afb56b384acd7b6c2dec1b7cc"}, {"url": "https://git.kernel.org/stable/c/5b35f8211a913cfe7ab9d54fa36a272d2059a588"}, {"url": "https://git.kernel.org/stable/c/a3d9c50d69785ae02e153f000da1b5fd6dbfdf1b"}, {"url": "https://git.kernel.org/stable/c/9d87cb22195b2c67405f5485d525190747ad5493"}], "title": "Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req\n\nSyzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd()\nthat is triggered by a malformed Enhanced Credit Based Connection Request.\n\nThe vulnerability stems from l2cap_ecred_conn_req(). The function allocates\na local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel\nIDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more\nthan 5 SCIDs, the function calculates `rsp_len` based on this unvalidated\n`cmd_len` before checking if the number of SCIDs exceeds\nL2CAP_ECRED_MAX_CID.\n\nIf the SCID count is too high, the function correctly jumps to the\n`response` label to reject the packet, but `rsp_len` retains the\nattacker's oversized value. Consequently, l2cap_send_cmd() is instructed\nto read past the end of the 18-byte `pdu` buffer, triggering a\nKASAN panic.\n\nFix this by moving the assignment of `rsp_len` to after the `num_scid`\nboundary check. If the packet is rejected, `rsp_len` will safely\nremain 0, and the error response will only read the 8-byte base header\nfrom the stack."}], "id": "CVE-2026-31513", "lastModified": "2026-04-22T14:16:50.673", "metrics": {}, "published": "2026-04-22T14:16:50.673", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5b35f8211a913cfe7ab9d54fa36a272d2059a588"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9d87cb22195b2c67405f5485d525190747ad5493"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a3d9c50d69785ae02e153f000da1b5fd6dbfdf1b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c8e1a27edb8b4e5afb56b384acd7b6c2dec1b7cc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[935f324e4b2461df2cf7f02b4195082b4304c708,c8e1a27edb8b4e5afb56b384acd7b6c2dec1b7cc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e981a9392800ce2c5bca196a6ab2c55e9370efaa,5b35f8211a913cfe7ab9d54fa36a272d2059a588)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f3fdf2e7276a3edc5df55454275da20eac186970,a3d9c50d69785ae02e153f000da1b5fd6dbfdf1b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c28d2bff70444a85b3b86aaf241ece9408c7858c,9d87cb22195b2c67405f5485d525190747ad5493)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.12.75,6.12.80)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.18.16,6.18.21)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.19.6,6.19.11)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:39:56.006329+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the latest l2cap_ecred_conn_req fix.", "Rebuild and install any Bluetooth modules to ensure they are linked with the patched kernel.", "If a patch cannot be applied immediately, disable the Bluetooth service or block L2CAP traffic on the network to prevent malformed requests from reaching the host."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Linux kernel\u2019s Bluetooth L2CAP implementation. All kernel releases containing the original l2cap_ecred_conn_req code are potentially impacted until the patch that moves rsp_len assignment past the boundary check is deployed.", "description_and_impact": "A malformed Enhanced Credit Based Connection Request can cause the Linux kernel Bluetooth L2CAP stack to read past a 18\u2011byte stack buffer. The resulting out\u2011of\u2011bounds read triggers a KASAN panic, causing the kernel to crash. While this does not provide code execution, it can bring the system down entirely, leading to a denial of service.", "risk_and_exploitability": "The exploit requires an attacker to send a specially crafted Bluetooth packet that requests more than five Source Channel IDs. The attack vector is inferred to be over the Bluetooth interface, allowing remote or local actors to trigger the crash. No official KEV listing or EPSS score is available, and no CVSS score is provided in the data. Nevertheless, the vulnerability can be triggered by remote devices in proximity, potentially making it feasible for attackers to cause service disruption on affected hosts."}}}}, "created": "2026-04-22T18:45:24.010521+00:00", "updated": "2026-04-22T19:45:25.063168+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-787"]}