CVE-2026-31393
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present:
- L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8).
- L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_len >= 5).
A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb data.
Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (feat_mask and remote_fixed_chan remain zero from kzalloc), so the info timer cleanup and l2cap_conn_start() still run and the connection is not stalled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Linux kernel's Bluetooth L2CAP subsystem fails to validate the payload length of L2CAP_INFO_RSP packets, leading to an out-of-bounds read.
Vulnerability
Overview
In the Linux kernel's Bluetooth L2CAP implementation, the function l2cap_information_rsp() does not properly validate that the response payload length is sufficient before accessing data past the fixed header [1]. While the code correctly checks that cmd_len covers the initial 4-byte l2cap_info_rsp header (type + result), it subsequently reads variable-length payload data without verifying the actual payload length [1].
Exploitation
Vector
An attacker can send a truncated L2CAP_INFO_RSP packet where result == L2CAP_IR_SUCCESS but the packet data ends immediately after the 4-byte header [1]. When processing such a packet, the handler accesses rsp->data without checking that sufficient bytes are present. For example, L2CAP_IT_FEAT_MASK reads 4 bytes (via get_unaligned_le32) requiring at least 8 total bytes, and L2CAP_IT_FIXED_CHAN reads 1 byte requiring at least 5 total bytes [1]. This lack of validation leads to an out-of-bounds read from the adjacent socket buffer data [1].
Impact
The out-of-bounds read could expose sensitive kernel memory or cause a denial of service if the read accesses unmapped memory, though the primary concern is information disclosure [1]. No authentication is required beyond being able to send L2CAP signaling packets over a Bluetooth connection [1].
Mitigation
The fix adds explicit payload length checks before each data access [1][2][3][4]. If the payload is too short, the affected fields (feat_mask and remote_fixed_chan) are left at their zero-initialized defaults, allowing the connection state machine to proceed normally without stalling [1]. Patches have been applied to multiple stable kernel branches [1][2][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/187e6fe939295be36063a1d91f8bebee04399a8cnvd
- git.kernel.org/stable/c/3b646516cba2ebc4b51a72954903326e7c1e443fnvd
- git.kernel.org/stable/c/5229e7d15771eac2b5886bfb1f976aea0c1eec14nvd
- git.kernel.org/stable/c/807bd1258453c4c83f6ae9dbc1e7b44860ff40d0nvd
- git.kernel.org/stable/c/9aeacde4da0f02d42fd968fd32f245828b230171nvd
- git.kernel.org/stable/c/db2872d054e467810078e2b9f440a5b326a601b2nvd
- git.kernel.org/stable/c/dd815e6e3918dc75a49aaabac36e4f024d675101nvd
- git.kernel.org/stable/c/e7ff754e339e3d5ce29aa9f95352d0186df8fbd9nvd
News mentions
0No linked articles in our index yet.