Cyber Resilience

CVE-2026-31513

High

Published: 22 April 2026

Published
22 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0025 16.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31513 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-31513 is a stack out-of-bounds read vulnerability in the Linux kernel's Bluetooth L2CAP implementation, specifically within the l2cap_ecred_conn_req() function. The flaw occurs when processing a malformed Enhanced Credit Based Connection Request with more than five Source Channel IDs (SCIDs). The function allocates an 18-byte stack buffer to hold up to five SCIDs, but it calculates the response length (rsp_len) using the attacker's unvalidated cmd_len before verifying if the SCID count exceeds L2CAP_ECRED_MAX_CID. If the count is invalid, the function rejects the packet but retains the oversized rsp_len value, causing l2cap_send_cmd() to read past the end of the pdu buffer and trigger a KASAN panic.

An attacker with adjacent network access via Bluetooth, requiring no privileges or user interaction, can exploit this by sending a crafted L2CAP Enhanced Credit Based Connection Request. Successful exploitation leads to a stack out-of-bounds read, enabling potential disclosure of sensitive stack memory and kernel panic for denial-of-service. The vulnerability scores 8.1 on CVSS 3.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) and is associated with CWE-125 (Out-of-bounds Read).

Patches for stable Linux kernel releases address the issue by moving the rsp_len assignment after the num_scid boundary check, as detailed in commits such as 5b35f8211a913cfe7ab9d54fa36a272d2059a588, 9d87cb22195b2c67405f5485d525190747ad5493, a3d9c50d69785ae02e153f000da1b5fd6dbfdf1b, and c8e1a27edb8b4e5afb56b384acd7b6c2dec1b7cc. With the reordered check, rejected packets leave rsp_len at 0, limiting reads to the safe 8-byte base header and preventing the out-of-bounds access.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd() that is triggered by a malformed Enhanced Credit Based Connection Request. The vulnerability stems from…

more

l2cap_ecred_conn_req(). The function allocates a local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more than 5 SCIDs, the function calculates `rsp_len` based on this unvalidated `cmd_len` before checking if the number of SCIDs exceeds L2CAP_ECRED_MAX_CID. If the SCID count is too high, the function correctly jumps to the `response` label to reject the packet, but `rsp_len` retains the attacker's oversized value. Consequently, l2cap_send_cmd() is instructed to read past the end of the 18-byte `pdu` buffer, triggering a KASAN panic. Fix this by moving the assignment of `rsp_len` to after the `num_scid` boundary check. If the packet is rejected, `rsp_len` will safely remain 0, and the error response will only read the 8-byte base header from the stack.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

OOB read directly enables kernel memory disclosure (T1005 Data from Local System) and KASAN panic/DoS via crafted L2CAP packet (T1499.004 Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21742Same product: Linux Linux Kernel
CVE-2026-23187Same product: Linux Linux Kernel
CVE-2025-71093Same product: Linux Linux Kernel
CVE-2025-71231Same product: Linux Linux Kernel
CVE-2022-49623Same product: Linux Linux Kernel
CVE-2025-21741Same product: Linux Linux Kernel
CVE-2026-23397Same product: Linux Linux Kernel
CVE-2026-23315Same product: Linux Linux Kernel
CVE-2025-71133Same product: Linux Linux Kernel
CVE-2024-52332Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.12.75 — 6.12.80 · 6.18.16 — 6.18.21 · 6.19.6 — 6.19.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of malformed L2CAP Enhanced Credit Based Connection Request parameters like cmd_len and num_scid before processing to prevent stack out-of-bounds reads.

prevent

Mandates timely identification, testing, and installation of patches for the specific flaw in l2cap_ecred_conn_req() that causes oversized rsp_len on invalid SCID counts.

preventdetect

Implements kernel memory protections such as bounds checking and stack canaries to block or detect out-of-bounds reads from oversized PDU buffer accesses in Bluetooth L2CAP.

References