In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2capecreddata_rcv()
l2capecreddatarcv() reads the SDU length field from skb->data using getunalignedle16() without first verifying that skb contains at least L2CAPSDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb.
The ERTM reassembly path correctly calls pskbmaypull() before reading the SDU length (l2capreassemblesdu, L2CAPSARSTART case). Apply the same validation to the Enhanced Credit Based Flow Control data path.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31512.json",
"cna_assigner": "Linux"
}