{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31512", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.107Z", "datePublished": "2026-04-22T13:54:30.171Z", "dateUpdated": "2026-04-22T13:54:30.171Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:30.171Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n\nl2cap_ecred_data_rcv() reads the SDU length field from skb->data using\nget_unaligned_le16() without first verifying that skb contains at least\nL2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads\npast the valid data in the skb.\n\nThe ERTM reassembly path correctly calls pskb_may_pull() before reading\nthe SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the\nsame validation to the Enhanced Credit Based Flow Control data path."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "cef09691cfb61f6c91cc27c3d69634f81c8ab949", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "3340be2bafdcc806f048273ea6d8e82a6597aa1b", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "e47315b84d0eb188772c3ff5cf073cdbdefca6b4", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "477ad4976072056c348937e94f24583321938df4", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "40c7f7eea2f4d9cb0b3e924254c8c9053372168f", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "8c96f3bd4ae0802db90630be8e9851827e9c9209", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "5ad981249be52f5e4e92e0e97b436b569071cb86", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "c65bd945d1c08c3db756821b6bf9f1c4a77b29c6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "3.14", "status": "affected"}, {"version": "0", "lessThan": "3.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cef09691cfb61f6c91cc27c3d69634f81c8ab949"}, {"url": "https://git.kernel.org/stable/c/3340be2bafdcc806f048273ea6d8e82a6597aa1b"}, {"url": "https://git.kernel.org/stable/c/e47315b84d0eb188772c3ff5cf073cdbdefca6b4"}, {"url": "https://git.kernel.org/stable/c/477ad4976072056c348937e94f24583321938df4"}, {"url": "https://git.kernel.org/stable/c/40c7f7eea2f4d9cb0b3e924254c8c9053372168f"}, {"url": "https://git.kernel.org/stable/c/8c96f3bd4ae0802db90630be8e9851827e9c9209"}, {"url": "https://git.kernel.org/stable/c/5ad981249be52f5e4e92e0e97b436b569071cb86"}, {"url": "https://git.kernel.org/stable/c/c65bd945d1c08c3db756821b6bf9f1c4a77b29c6"}], "title": "Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n\nl2cap_ecred_data_rcv() reads the SDU length field from skb->data using\nget_unaligned_le16() without first verifying that skb contains at least\nL2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads\npast the valid data in the skb.\n\nThe ERTM reassembly path correctly calls pskb_may_pull() before reading\nthe SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the\nsame validation to the Enhanced Credit Based Flow Control data path."}], "id": "CVE-2026-31512", "lastModified": "2026-04-23T16:17:41.280", "metrics": {}, "published": "2026-04-22T14:16:50.490", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3340be2bafdcc806f048273ea6d8e82a6597aa1b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/40c7f7eea2f4d9cb0b3e924254c8c9053372168f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/477ad4976072056c348937e94f24583321938df4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5ad981249be52f5e4e92e0e97b436b569071cb86"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8c96f3bd4ae0802db90630be8e9851827e9c9209"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c65bd945d1c08c3db756821b6bf9f1c4a77b29c6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cef09691cfb61f6c91cc27c3d69634f81c8ab949"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e47315b84d0eb188772c3ff5cf073cdbdefca6b4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()", "id": "2460696", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460696"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-1284", "details": ["A flaw was found in the Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) component. The l2cap_ecred_data_rcv() function fails to validate the incoming data packet unit (PDU) length before attempting to read the Service Data Unit (SDU) length. This oversight allows an attacker to craft a malicious packet that, when processed, can cause the system to read beyond the allocated buffer, potentially leading to information disclosure or a denial of service."], "name": "CVE-2026-31512", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31512\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31512\nhttps://lore.kernel.org/linux-cve-announce/2026042209-CVE-2026-31512-b386@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,cef09691cfb61f6c91cc27c3d69634f81c8ab949)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,3340be2bafdcc806f048273ea6d8e82a6597aa1b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,e47315b84d0eb188772c3ff5cf073cdbdefca6b4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,477ad4976072056c348937e94f24583321938df4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,40c7f7eea2f4d9cb0b3e924254c8c9053372168f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,8c96f3bd4ae0802db90630be8e9851827e9c9209)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,5ad981249be52f5e92e0e97b436b569071cb86)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,c65bd945d1c08c3db756821b6bf9f1c4a77b29c6)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:40:26.408728+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the l2cap_ecred_data_rcv() patch.", "Restart the Bluetooth service or reboot the system so the updated kernel is active.", "If an immediate kernel update is not possible, temporarily disable the Bluetooth service or block L2CAP traffic until the patch can be applied."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Any Linux system whose kernel builds include the Bluetooth L2CAP stack is potentially affected. The patch has been merged into the main Linux kernel tree, but specific affected kernel releases are not listed in the advisory.", "description_and_impact": "The kernel Bluetooth L2CAP implementation fails to validate the length of an incoming protocol data unit before reading the service data unit length. The routine l2cap_ecred_data_rcv() extracts a 16\u2011bit length field from the packet buffer without confirming that the buffer contains at least two bytes, which can cause an out\u2011of\u2011bounds read of kernel memory. This defect could leak sensitive kernel data to an attacker or trigger an exception that may lead to a crash. The weakness is a classic buffer over\u2011read (CWE\u2011125).", "risk_and_exploitability": "The advisory does not provide a CVSS score or EPSS value, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through a Bluetooth connection that can supply crafted L2CAP frames, so an attacker does not need local privileges. Because the flaw allows only a memory read, exploitation may lead to information disclosure or a denial\u2011of\u2011service via a crash, making it a serious risk for systems that accept untrusted Bluetooth traffic. The absence of a known exploit does not reduce the need to patch, as the vulnerability\u2019s existence alone poses a potential information\u2011leak risk."}}}}, "created": "2026-04-22T18:15:15.246874+00:00", "updated": "2026-04-22T18:45:24.011032+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-125"]}