CVE-2026-31497
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: clamp SCO altsetting table indices
btusb_work() maps the number of active SCO links to USB alternate settings through a three-entry lookup table when CVSD traffic uses transparent voice settings. The lookup currently indexes alts[] with data->sco_num - 1 without first constraining sco_num to the number of available table entries.
While the table only defines alternate settings for up to three SCO links, data->sco_num comes from hci_conn_num() and is used directly. Cap the lookup to the last table entry before indexing it so the driver keeps selecting the highest supported alternate setting without reading past alts[].
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Bluetooth btusb driver out-of-bounds read in the Linux kernel due to missing clamp on SCO link count indexing alts[] table.
Vulnerability
CVE-2026-31497 is an out-of-bounds read vulnerability in the btusb driver of the Linux kernel's Bluetooth subsystem. The function btusb_work() maps the number of active SCO (Synchronous Connection-Oriented) links to USB alternate settings by indexing a fixed-size lookup table alts[] with data->sco_num - 1. The value data->sco_num is derived from hci_conn_num() and is not clamped to the table's size (3 entries). If more than three SCO links are active, the index exceeds the array bounds, causing an out-of-bounds read. [1][2]
Exploitation
An attacker would need local access and the ability to influence the number of active SCO links beyond three, for example by establishing multiple Bluetooth connections. The attack does not require authentication beyond local system access. The driver subsequently selects an incorrect (potentially non-existent) alternate setting from memory after the array, which can lead to unexpected USB behavior or a kernel crash. [3][4]
Impact
The out-of-bounds read can expose adjacent kernel memory or cause a denial-of-service (system crash) due to reading invalid USB alternate setting descriptors. The CVSS score 5.5 (Medium) reflects the requirement for local access and the likelihood of a crash or information disclosure.
Mitigation
The fix is merged into the mainline Linux kernel and stable branches. It clamps the lookup index to the last valid table entry when sco_num exceeds the array size, ensuring the highest supported alternate setting is selected correctly. Users should update their kernel to include the commits referenced in [1]–[4] or apply the backported patches.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.8.1,<5.10.253
- cpe:2.3:o:linux:linux_kernel:5.8:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/1019028eb124564cf7bca58a16f1df8a1ca30726nvdPatch
- git.kernel.org/stable/c/129fa608b6ad08b8ab7178eeb2ec272c993aacccnvdPatch
- git.kernel.org/stable/c/21c254202f9d78abe0fcd642a92966deb92bd226nvdPatch
- git.kernel.org/stable/c/312c4450fe23014665c163f480edd5ad2e27bbb8nvdPatch
- git.kernel.org/stable/c/476c9262b430c38c6a701a3b8176a3f48689085bnvdPatch
- git.kernel.org/stable/c/6fba3c3d48c927e55611a0f5ea34da88138ed0ffnvdPatch
- git.kernel.org/stable/c/834cf890d2c3d29cbfa1ee2376c40469c28ec297nvdPatch
- git.kernel.org/stable/c/9dd13a8641de79bc1bc93da55cdd35259a002683nvdPatch
News mentions
0No linked articles in our index yet.