CVE-2026-31512
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
l2cap_ecred_data_rcv() reads the SDU length field from skb->data using get_unaligned_le16() without first verifying that skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb.
The ERTM reassembly path correctly calls pskb_may_pull() before reading the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the same validation to the Enhanced Credit Based Flow Control data path.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing length check in the Linux kernel's Bluetooth L2CAP Enhanced Credit Based Flow Control data path allows an out-of-bounds read when processing malformed packets.
Vulnerability
In the Linux kernel's Bluetooth subsystem, the function l2cap_ecred_data_rcv() in the L2CAP layer reads the SDU length field from the incoming skb data using get_unaligned_le16() without first verifying that the skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this results in reading past the valid data in the skb, leading to an out-of-bounds read [1].
Exploitation
An attacker with the ability to send crafted Bluetooth L2CAP packets to a vulnerable system can trigger this issue. The attack requires no special privileges beyond the ability to communicate over Bluetooth. The Enhanced Credit Based Flow Control (ECRED) path is used for connection-oriented data, and a malformed packet with a short length can cause the kernel to read memory beyond the packet boundary.
Impact
Successful exploitation could lead to information disclosure, as the out-of-bounds read may leak sensitive kernel memory. The CVSS v3 score of 5.5 (Medium) reflects the potential for confidentiality impact, though the attack complexity is high and requires local access or close proximity.
Mitigation
The fix adds a pskb_may_pull() check before reading the SDU length, consistent with the existing validation in the ERTM reassembly path. The patch has been applied to the Linux kernel stable branches as seen in commits [1], [2], [3], and [4]. Users should update to the latest kernel version containing this fix.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.14.1,<5.10.253
- cpe:2.3:o:linux:linux_kernel:3.14:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/3340be2bafdcc806f048273ea6d8e82a6597aa1bnvdPatch
- git.kernel.org/stable/c/40c7f7eea2f4d9cb0b3e924254c8c9053372168fnvdPatch
- git.kernel.org/stable/c/477ad4976072056c348937e94f24583321938df4nvdPatch
- git.kernel.org/stable/c/5ad981249be52f5e4e92e0e97b436b569071cb86nvdPatch
- git.kernel.org/stable/c/8c96f3bd4ae0802db90630be8e9851827e9c9209nvdPatch
- git.kernel.org/stable/c/c65bd945d1c08c3db756821b6bf9f1c4a77b29c6nvdPatch
- git.kernel.org/stable/c/cef09691cfb61f6c91cc27c3d69634f81c8ab949nvdPatch
- git.kernel.org/stable/c/e47315b84d0eb188772c3ff5cf073cdbdefca6b4nvdPatch
News mentions
0No linked articles in our index yet.