PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31393 Linux CVE debrief

A vulnerability in the Linux kernel's Bluetooth L2CAP subsystem allows out-of-bounds reads when processing malformed L2CAP_INFO_RSP packets. The l2cap_information_rsp() function validates that the command length covers the fixed 4-byte header but fails to verify payload presence before accessing rsp->data. For L2CAP_IT_FEAT_MASK, this results in a 4-byte overread; for L2CAP_IT_FIXED_CHAN, a 1-byte overread. A truncated response with result == L2CAP_IR_SUCCESS triggers reads of adjacent skb data. The fix adds explicit payload length checks before each data access, allowing safe state machine completion with zeroed defaults when payloads are undersized.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-26
Advisory published
2026-04-03
Advisory updated
2026-05-26

Who should care

Linux system administrators, embedded device manufacturers using Bluetooth, kernel maintainers, security teams in organizations deploying Linux-based Bluetooth infrastructure

Technical summary

The vulnerability exists in net/bluetooth/l2cap_core.c in the l2cap_information_rsp() function. The function checks cmd_len >= L2CAP_INFO_RSP_SIZE (4 bytes) but then accesses rsp->data without verifying sufficient remaining length. For info_type L2CAP_IT_FEAT_MASK, get_unaligned_le32(rsp->data) requires 4 additional bytes (cmd_len >= 8). For L2CAP_IT_FIXED_CHAN, rsp->data[0] requires 1 additional byte (cmd_len >= 5). When a malicious or malformed peer sends a truncated L2CAP_INFO_RSP with result L2CAP_IR_SUCCESS, the kernel reads beyond the allocated skb buffer into adjacent memory. The fix introduces explicit length validation: for L2CAP_IT_FEAT_MASK, checks cmd_len >= 8; for L2CAP_IT_FIXED_CHAN, checks cmd_len >= 5. On validation failure, the function skips the read, allowing feat_mask and remote_fixed_chan to remain zero (from kzalloc), ensuring proper info timer cleanup and l2cap_conn_start() execution without stalling the connection.

Defensive priority

HIGH

Recommended defensive actions

  • Apply kernel patches from stable branches: 5.10.253+, 5.15.203+, 6.1.167+, 6.6.130+, 6.12.78+, 6.18.20+, 6.19.10+, or 7.0-rc5+
  • Verify Bluetooth L2CAP input validation in custom kernel builds
  • Monitor for kernel updates on affected distributions
  • Review Bluetooth stack configurations for unnecessary L2CAP feature exposure

Evidence notes

CVE published 2026-04-03; NVD modified 2026-05-26. Affects Linux kernel versions from 2.6.24 through multiple stable branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10) and 7.0-rc1 through rc4. CVSS 3.1 score 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). CWE-125: Out-of-bounds Read.

Official resources

2026-04-03