CVE-2026-31771 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators of systems with Bluetooth enabled—especially those running affected kernel ranges identified by NVD.

Technical summary

According to the supplied description, hci_store_wake_reason() was called from hci_event_packet() after the HCI event header was stripped but before hci_event_func() enforced per-event minimum payload length from hci_ev_table. That ordering meant malformed or short HCI event frames could reach bacpy() without a prior bounds check. The remediation moves wake-address storage into individual event handlers after their existing event-length validation succeeds, and turns hci_store_wake_reason() into a small helper that stores only an already-validated bdaddr while hdev->lock is held. The helper is annotated with __must_hold(&hdev->lock) and lockdep_assert_held(&hdev->lock) to preserve the locking contract. The affected handler set listed in the source includes hci_conn_request_evt(), hci_conn_complete_evt(), hci_sync_conn_complete_evt(), le_conn_complete_evt(), hci_le_adv_report_evt(), hci_le_ext_adv_report_evt(), hci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and hci_le_past_received_evt().

Defensive priority

High. The CVSS vector is AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, indicating a Bluetooth-proximate attack surface with potential confidentiality and availability impact in kernel space. Systems with Bluetooth enabled should prioritize patching.

Recommended defensive actions

• Apply the Linux kernel fixes referenced by the official stable patch links.
• Upgrade kernel builds in the affected ranges listed by NVD, including 5.10 through before 6.19.12 and the referenced 7.0 release candidates.
• Verify vendor backports for your distribution rather than relying only on upstream version numbers.
• If Bluetooth is not required on a system, consider disabling it as a temporary reduction of exposure until patched.
• Track distro advisories that incorporate the upstream fix into supported kernel packages.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus and the official kernel patch references. The description explicitly states the validation-order bug, the helper refactor, the lock contract annotations, and the affected event handlers. NVD marks the issue analyzed with CVSS 3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H and lists affected Linux kernel CPE ranges starting at 5.10 through before 6.19.12, plus 7.0 rc1 through rc6. No KEV data was supplied.

Official resources