CVE-2026-31512
Published: Apr 22, 2026
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() l2cap_ecred_data_rcv() reads the SDU length field from skb->data using get_unaligned_le16() without first verifying that skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb. The ERTM reassembly path correctly calls pskb_may_pull() before reading the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the same validation to the Enhanced Credit Based Flow Control data path.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected aac23bf636593cc2d67144aed373a46a1a5f76b1 - < cef09691cfb61f6c91cc27c3d69634f81c8ab949affected aac23bf636593cc2d67144aed373a46a1a5f76b1 - < 3340be2bafdcc806f048273ea6d8e82a6597aa1baffected aac23bf636593cc2d67144aed373a46a1a5f76b1 - < e47315b84d0eb188772c3ff5cf073cdbdefca6b4affected aac23bf636593cc2d67144aed373a46a1a5f76b1 - < 477ad4976072056c348937e94f24583321938df4affected aac23bf636593cc2d67144aed373a46a1a5f76b1 - < 40c7f7eea2f4d9cb0b3e924254c8c9053372168f+3 more versions |
Linux | Linux | affected 3.14unaffected 0 - < 3.14unaffected 5.10.253 - <= 5.10.*unaffected 5.15.203 - <= 5.15.*unaffected 6.1.168 - <= 6.1.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now