CVE-2026-31513

Source
https://cve.org/CVERecord?id=CVE-2026-31513
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31513.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31513
Downstream
Published
2026-04-22T13:54:30.835Z
Modified
2026-07-15T01:48:56.868901472Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2capecredconn_req

Syzbot reported a KASAN stack-out-of-bounds read in l2capbuildcmd() that is triggered by a malformed Enhanced Credit Based Connection Request.

The vulnerability stems from l2capecredconnreq(). The function allocates a local stack buffer (pdu) designed to hold a maximum of 5 Source Channel IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more than 5 SCIDs, the function calculates rsp_len based on this unvalidated cmd_len before checking if the number of SCIDs exceeds L2CAPECREDMAXCID.

If the SCID count is too high, the function correctly jumps to the response label to reject the packet, but rsp_len retains the attacker's oversized value. Consequently, l2capsendcmd() is instructed to read past the end of the 18-byte pdu buffer, triggering a KASAN panic.

Fix this by moving the assignment of rsp_len to after the num_scid boundary check. If the packet is rejected, rsp_len will safely remain 0, and the error response will only read the 8-byte base header from the stack.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31513.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
935f324e4b2461df2cf7f02b4195082b4304c708
Fixed
c8e1a27edb8b4e5afb56b384acd7b6c2dec1b7cc
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e981a9392800ce2c5bca196a6ab2c55e9370efaa
Fixed
5b35f8211a913cfe7ab9d54fa36a272d2059a588
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f3fdf2e7276a3edc5df55454275da20eac186970
Fixed
a3d9c50d69785ae02e153f000da1b5fd6dbfdf1b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c28d2bff70444a85b3b86aaf241ece9408c7858c
Fixed
9d87cb22195b2c67405f5485d525190747ad5493

Affected versions

v6.*
v6.12.75
v6.12.76
v6.12.77
v6.12.78
v6.12.79
v6.18.16
v6.18.17
v6.18.18
v6.18.19
v6.18.20
v6.19.10
v6.19.6
v6.19.7
v6.19.8
v6.19.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31513.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.12.75
Fixed
6.12.80
Type
ECOSYSTEM
Events
Introduced
6.18.16
Fixed
6.18.21
Type
ECOSYSTEM
Events
Introduced
6.19.6
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31513.json"