CVE-2026-31513
Published: 22 April 2026
Summary
CVE-2026-31513 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-31513 is a stack out-of-bounds read vulnerability in the Linux kernel's Bluetooth L2CAP implementation, specifically within the l2cap_ecred_conn_req() function. The flaw occurs when processing a malformed Enhanced Credit Based Connection Request with more than five Source Channel IDs (SCIDs). The function allocates an 18-byte stack buffer to hold up to five SCIDs, but it calculates the response length (rsp_len) using the attacker's unvalidated cmd_len before verifying if the SCID count exceeds L2CAP_ECRED_MAX_CID. If the count is invalid, the function rejects the packet but retains the oversized rsp_len value, causing l2cap_send_cmd() to read past the end of the pdu buffer and trigger a KASAN panic.
An attacker with adjacent network access via Bluetooth, requiring no privileges or user interaction, can exploit this by sending a crafted L2CAP Enhanced Credit Based Connection Request. Successful exploitation leads to a stack out-of-bounds read, enabling potential disclosure of sensitive stack memory and kernel panic for denial-of-service. The vulnerability scores 8.1 on CVSS 3.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) and is associated with CWE-125 (Out-of-bounds Read).
Patches for stable Linux kernel releases address the issue by moving the rsp_len assignment after the num_scid boundary check, as detailed in commits such as 5b35f8211a913cfe7ab9d54fa36a272d2059a588, 9d87cb22195b2c67405f5485d525190747ad5493, a3d9c50d69785ae02e153f000da1b5fd6dbfdf1b, and c8e1a27edb8b4e5afb56b384acd7b6c2dec1b7cc. With the reordered check, rejected packets leave rsp_len at 0, limiting reads to the safe 8-byte base header and preventing the out-of-bounds access.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24897
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd() that is triggered by a malformed Enhanced Credit Based Connection Request. The vulnerability stems from…
more
l2cap_ecred_conn_req(). The function allocates a local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more than 5 SCIDs, the function calculates `rsp_len` based on this unvalidated `cmd_len` before checking if the number of SCIDs exceeds L2CAP_ECRED_MAX_CID. If the SCID count is too high, the function correctly jumps to the `response` label to reject the packet, but `rsp_len` retains the attacker's oversized value. Consequently, l2cap_send_cmd() is instructed to read past the end of the 18-byte `pdu` buffer, triggering a KASAN panic. Fix this by moving the assignment of `rsp_len` to after the `num_scid` boundary check. If the packet is rejected, `rsp_len` will safely remain 0, and the error response will only read the 8-byte base header from the stack.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read directly enables kernel memory disclosure (T1005 Data from Local System) and KASAN panic/DoS via crafted L2CAP packet (T1499.004 Application or System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of malformed L2CAP Enhanced Credit Based Connection Request parameters like cmd_len and num_scid before processing to prevent stack out-of-bounds reads.
Mandates timely identification, testing, and installation of patches for the specific flaw in l2cap_ecred_conn_req() that causes oversized rsp_len on invalid SCID counts.
Implements kernel memory protections such as bounds checking and stack canaries to block or detect out-of-bounds reads from oversized PDU buffer accesses in Bluetooth L2CAP.