{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31512", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.107Z", "datePublished": "2026-04-22T13:54:30.171Z", "dateUpdated": "2026-05-11T22:10:13.614Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:10:13.614Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n\nl2cap_ecred_data_rcv() reads the SDU length field from skb->data using\nget_unaligned_le16() without first verifying that skb contains at least\nL2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads\npast the valid data in the skb.\n\nThe ERTM reassembly path correctly calls pskb_may_pull() before reading\nthe SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the\nsame validation to the Enhanced Credit Based Flow Control data path."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "cef09691cfb61f6c91cc27c3d69634f81c8ab949", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "3340be2bafdcc806f048273ea6d8e82a6597aa1b", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "e47315b84d0eb188772c3ff5cf073cdbdefca6b4", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "477ad4976072056c348937e94f24583321938df4", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "40c7f7eea2f4d9cb0b3e924254c8c9053372168f", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "8c96f3bd4ae0802db90630be8e9851827e9c9209", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "5ad981249be52f5e4e92e0e97b436b569071cb86", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "c65bd945d1c08c3db756821b6bf9f1c4a77b29c6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "3.14", "status": "affected"}, {"version": "0", "lessThan": "3.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cef09691cfb61f6c91cc27c3d69634f81c8ab949"}, {"url": "https://git.kernel.org/stable/c/3340be2bafdcc806f048273ea6d8e82a6597aa1b"}, {"url": "https://git.kernel.org/stable/c/e47315b84d0eb188772c3ff5cf073cdbdefca6b4"}, {"url": "https://git.kernel.org/stable/c/477ad4976072056c348937e94f24583321938df4"}, {"url": "https://git.kernel.org/stable/c/40c7f7eea2f4d9cb0b3e924254c8c9053372168f"}, {"url": "https://git.kernel.org/stable/c/8c96f3bd4ae0802db90630be8e9851827e9c9209"}, {"url": "https://git.kernel.org/stable/c/5ad981249be52f5e4e92e0e97b436b569071cb86"}, {"url": "https://git.kernel.org/stable/c/c65bd945d1c08c3db756821b6bf9f1c4a77b29c6"}], "title": "Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96775134-B6E9-42CE-A367-9B4C33EFBF22", "versionEndExcluding": "5.10.253", "versionStartIncluding": "3.14.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B", "versionEndExcluding": "6.1.168", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:3.14:-:*:*:*:*:*:*", "matchCriteriaId": "851B1505-0318-49F4-8D7C-196BE04FF173", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n\nl2cap_ecred_data_rcv() reads the SDU length field from skb->data using\nget_unaligned_le16() without first verifying that skb contains at least\nL2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads\npast the valid data in the skb.\n\nThe ERTM reassembly path correctly calls pskb_may_pull() before reading\nthe SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the\nsame validation to the Enhanced Credit Based Flow Control data path."}], "id": "CVE-2026-31512", "lastModified": "2026-04-28T15:08:37.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T14:16:50.490", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3340be2bafdcc806f048273ea6d8e82a6597aa1b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/40c7f7eea2f4d9cb0b3e924254c8c9053372168f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/477ad4976072056c348937e94f24583321938df4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5ad981249be52f5e4e92e0e97b436b569071cb86"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8c96f3bd4ae0802db90630be8e9851827e9c9209"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c65bd945d1c08c3db756821b6bf9f1c4a77b29c6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cef09691cfb61f6c91cc27c3d69634f81c8ab949"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e47315b84d0eb188772c3ff5cf073cdbdefca6b4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()", "id": "2460696", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460696"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-1284", "details": ["A flaw was found in the Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) component. The l2cap_ecred_data_rcv() function fails to validate the incoming data packet unit (PDU) length before attempting to read the Service Data Unit (SDU) length. This oversight allows an attacker to craft a malicious packet that, when processed, can cause the system to read beyond the allocated buffer, potentially leading to information disclosure or a denial of service."], "name": "CVE-2026-31512", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31512\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31512\nhttps://lore.kernel.org/linux-cve-announce/2026042209-CVE-2026-31512-b386@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,cef09691cfb61f6c91cc27c3d69634f81c8ab949)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,3340be2bafdcc806f048273ea6d8e82a6597aa1b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,e47315b84d0eb188772c3ff5cf073cdbdefca6b4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,477ad4976072056c348937e94f24583321938df4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,40c7f7eea2f4d9cb0b3e924254c8c9053372168f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,8c96f3bd4ae0802db90630be8e9851827e9c9209)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,5ad981249be52f5e92e0e97b436b569071cb86)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac23bf636593cc2d67144aed373a46a1a5f76b1,c65bd945d1c08c3db756821b6bf9f1c4a77b29c6)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T23:59:59.624594+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the l2cap_ecred_data_rcv() patch.", "Restart the Bluetooth service or reboot the system so the updated kernel is active.", "If an immediate kernel update is not possible, temporarily disable the Bluetooth service or block L2CAP traffic until the patch can be applied."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Any Linux system whose kernel builds include the Bluetooth L2CAP stack is potentially affected. The patch has been merged into the main Linux kernel tree, but specific affected kernel releases are not listed in the advisory.", "description_and_impact": "The kernel Bluetooth L2CAP implementation fails to validate the length of an incoming protocol data unit before reading the service data unit length. The routine l2cap_ecred_data_rcv() extracts a 16\u2011bit length field from the packet buffer without confirming that the buffer contains at least two bytes, which can cause an out\u2011of\u2011bounds read of kernel memory. This defect could leak sensitive kernel data to an attacker or trigger an exception that may lead to a crash. The weakness is a buffer over\u2011read (CWE\u20111284) and a memory access error.", "risk_and_exploitability": "The advisory lists a CVSS score of 5.5 and an EPSS score of less than 1%, indicating a medium severity but a very low probability of exploitation at the time of this analysis. The flaw allows only a memory read; exploitation could result in information disclosure or a denial\u2011of\u2011service via a kernel crash. The likely attack vector is through a Bluetooth connection that can supply crafted L2CAP frames, and no local privileges are required. The vulnerability is not listed in the CISA KEV catalog, but the presence of a medium CVSS score and the absence of a known exploit do not diminish the need for timely patching."}}}}, "created": "2026-04-22T18:15:15.246874+00:00", "updated": "2026-04-29T00:00:13.858660+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}