Stack-out-of-bounds read in Linux kernel Bluetooth component
CVE-2026-31513
What is CVE-2026-31513?
A vulnerability in the Linux kernel's Bluetooth protocol implementation allows attackers to exploit a stack-out-of-bounds read condition. This occurs within the function l2cap_ecred_conn_req() when improperly processed Enhanced Credit Based Connection Requests, specifically those containing more than five Source Channel IDs (SCIDs). The function calculates a response length based on unvalidated command length parameters, leading to potential reading beyond the allocated 18-byte stack buffer. This flaw can result in a KASAN panic, exposing the system to further risks. The issue has been addressed by repositioning the response length assignment to ensure it only updates after verifying the number of SCIDs, preventing overflow during error handling.
Affected Version(s)
Linux 935f324e4b2461df2cf7f02b4195082b4304c708
Linux e981a9392800ce2c5bca196a6ab2c55e9370efaa < 5b35f8211a913cfe7ab9d54fa36a272d2059a588
Linux f3fdf2e7276a3edc5df55454275da20eac186970