{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31497", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.102Z", "datePublished": "2026-04-22T13:54:19.051Z", "dateUpdated": "2026-05-11T22:09:53.017Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:09:53.017Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: clamp SCO altsetting table indices\n\nbtusb_work() maps the number of active SCO links to USB alternate\nsettings through a three-entry lookup table when CVSD traffic uses\ntransparent voice settings. The lookup currently indexes alts[] with\ndata->sco_num - 1 without first constraining sco_num to the number of\navailable table entries.\n\nWhile the table only defines alternate settings for up to three SCO\nlinks, data->sco_num comes from hci_conn_num() and is used directly.\nCap the lookup to the last table entry before indexing it so the\ndriver keeps selecting the highest supported alternate setting without\nreading past alts[]."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bluetooth/btusb.c"], "versions": [{"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "312c4450fe23014665c163f480edd5ad2e27bbb8", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "9dd13a8641de79bc1bc93da55cdd35259a002683", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "476c9262b430c38c6a701a3b8176a3f48689085b", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "6fba3c3d48c927e55611a0f5ea34da88138ed0ff", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "834cf890d2c3d29cbfa1ee2376c40469c28ec297", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "1019028eb124564cf7bca58a16f1df8a1ca30726", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "21c254202f9d78abe0fcd642a92966deb92bd226", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "129fa608b6ad08b8ab7178eeb2ec272c993aaccc", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bluetooth/btusb.c"], "versions": [{"version": "5.8", "status": "affected"}, {"version": "0", "lessThan": "5.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/312c4450fe23014665c163f480edd5ad2e27bbb8"}, {"url": "https://git.kernel.org/stable/c/9dd13a8641de79bc1bc93da55cdd35259a002683"}, {"url": "https://git.kernel.org/stable/c/476c9262b430c38c6a701a3b8176a3f48689085b"}, {"url": "https://git.kernel.org/stable/c/6fba3c3d48c927e55611a0f5ea34da88138ed0ff"}, {"url": "https://git.kernel.org/stable/c/834cf890d2c3d29cbfa1ee2376c40469c28ec297"}, {"url": "https://git.kernel.org/stable/c/1019028eb124564cf7bca58a16f1df8a1ca30726"}, {"url": "https://git.kernel.org/stable/c/21c254202f9d78abe0fcd642a92966deb92bd226"}, {"url": "https://git.kernel.org/stable/c/129fa608b6ad08b8ab7178eeb2ec272c993aaccc"}], "title": "Bluetooth: btusb: clamp SCO altsetting table indices", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "322D472B-4DA0-4679-9950-28C0EBB5BBA0", "versionEndExcluding": "5.10.253", "versionStartIncluding": "5.8.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B", "versionEndExcluding": "6.1.168", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.8:-:*:*:*:*:*:*", "matchCriteriaId": "0E2DC66F-4A95-475F-B8B6-191DEC1E7EF6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: clamp SCO altsetting table indices\n\nbtusb_work() maps the number of active SCO links to USB alternate\nsettings through a three-entry lookup table when CVSD traffic uses\ntransparent voice settings. The lookup currently indexes alts[] with\ndata->sco_num - 1 without first constraining sco_num to the number of\navailable table entries.\n\nWhile the table only defines alternate settings for up to three SCO\nlinks, data->sco_num comes from hci_conn_num() and is used directly.\nCap the lookup to the last table entry before indexing it so the\ndriver keeps selecting the highest supported alternate setting without\nreading past alts[]."}], "id": "CVE-2026-31497", "lastModified": "2026-04-28T14:42:28.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T14:16:47.857", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1019028eb124564cf7bca58a16f1df8a1ca30726"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/129fa608b6ad08b8ab7178eeb2ec272c993aaccc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/21c254202f9d78abe0fcd642a92966deb92bd226"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/312c4450fe23014665c163f480edd5ad2e27bbb8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/476c9262b430c38c6a701a3b8176a3f48689085b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6fba3c3d48c927e55611a0f5ea34da88138ed0ff"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/834cf890d2c3d29cbfa1ee2376c40469c28ec297"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9dd13a8641de79bc1bc93da55cdd35259a002683"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Bluetooth: btusb: clamp SCO altsetting table indices", "id": "2460657", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460657"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1285", "details": ["A flaw was found in the Linux kernel's Bluetooth USB (btusb) driver. An attacker with control over Bluetooth connections could trigger an out-of-bounds read in the `btusb_work()` function. This occurs because the function, which maps active Synchronous Connection-Oriented (SCO) links to USB alternate settings, uses an unconstrained index when accessing an internal lookup table. This vulnerability could lead to system instability or a denial of service."], "name": "CVE-2026-31497", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31497\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31497\nhttps://lore.kernel.org/linux-cve-announce/2026042203-CVE-2026-31497-f54a@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,312c4450fe23014665c163f480edd5ad2e27bbb8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,9dd13a8641de79bc1bc93da55cdd35259a002683)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,476c9262b430c38c6a701a3b8176a3f48689085b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,6fba3c3d48c927e55611a0f5ea34da88138ed0ff)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,834cf890d2c3d29cbfa1ee2376c40469c28ec297)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,1019028eb124564cf7bca58a16f1df8a1ca30726)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,21c254202f9d78abe0fcd642a92966deb92bd226)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,129fa608b6ad08b8ab7178eeb2ec272c993aaccc)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.8"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.8)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,6.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,6.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T02:24:55.053212+00:00", "value": {"mitigation_remediation": ["Apply the official kernel update that contains the btusb patch from your distribution\u2019s security advisory.", "If an immediate update is not possible, unload the btusb module to prevent it from loading.", "Disable Bluetooth services that accept incoming connections until the driver is updated.", "Restrict pairing to trusted devices or limit the number of simultaneous SCO links to avoid exceeding the table size."], "summary": {"action": "Apply Patch", "impact": "Potential kernel crash due to out\u2011of\u2011bounds array indexing in the btusb driver"}, "threat_synthesis": {"affected_systems": "All Linux kernels that ship the buggy btusb driver are affected. The CVE references include Linux kernel 5.8 and all 7.0 release candidates (rc1\u2011rc7). Any Linux kernel build that includes the unpatched btusb implementation is susceptible.", "description_and_impact": "The btusb driver maps active SCO links to USB alternate settings through a lookup table that only supports up to three links. The code indexes this table using data->sco_num - 1, and data->sco_num is obtained from hci_conn_num() without being bounded to the table size. Because the table contains only three entries, an unbounded index can read past the end of the array, which may lead to incorrect memory reads and potentially cause the kernel to crash. The description does not indicate any information disclosure beyond a possible kernel failure.", "risk_and_exploitability": "The CVSS score is 5.5, and the EPSS score is less than 1%, indicating a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The missing bounds check can be triggered by an attacker that initiates multiple SCO links over Bluetooth. While the description only mentions the out\u2011of\u2011bounds access, it is inferred that a malicious actor could cause kernel instability by exploiting the unchecked index."}}}}, "created": "2026-04-22T19:00:08.089054+00:00", "updated": "2026-04-29T02:30:07.588099+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}