Cyber Resilience

CVE-2026-31771

High

Published: 01 May 2026

Published
01 May 2026
Modified
11 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0021 10.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31771 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31771 is a vulnerability in the Linux kernel's Bluetooth subsystem, specifically in the HCI event handling code. The issue arises because the hci_store_wake_reason() function is invoked from hci_event_packet() immediately after stripping the HCI event header but before hci_event_func() performs per-event minimum payload length checks defined in hci_ev_table. This allows a short HCI event frame to reach bacpy() without prior bounds validation, potentially leading to a buffer over-read.

An adjacent network attacker within Bluetooth range can exploit this vulnerability with low attack complexity, requiring no privileges or user interaction. Successful exploitation results in high confidentiality and availability impacts, enabling information disclosure through out-of-bounds reads and denial-of-service via kernel crashes, while integrity remains unaffected.

Mitigation involves applying kernel patches from the stable repository, such as commit 2b2bf47cd75518c36fa2d41380e4a40641cc89cd and 86c8d07a64d553c41e213b52650020010f9ef23e. These patches relocate wake-address storage to individual validated event handlers like hci_conn_request_evt() and le_conn_complete_evt() after length checks succeed, refactor hci_store_wake_reason() as a lock-protected helper, and add lockdep assertions to enforce the lock contract.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: move wake reason storage into validated event handlers hci_store_wake_reason() is called from hci_event_packet() immediately after stripping the HCI event header but before hci_event_func() enforces the per-event minimum payload…

more

length from hci_ev_table. This means a short HCI event frame can reach bacpy() before any bounds check runs. Rather than duplicating skb parsing and per-event length checks inside hci_store_wake_reason(), move wake-address storage into the individual event handlers after their existing event-length validation has succeeded. Convert hci_store_wake_reason() into a small helper that only stores an already-validated bdaddr while the caller holds hci_dev_lock(). Use the same helper after hci_event_func() with a NULL address to preserve the existing unexpected-wake fallback semantics when no validated event handler records a wake address. Annotate the helper with __must_hold(&hdev->lock) and add lockdep_assert_held(&hdev->lock) so future call paths keep the lock contract explicit. Call the helper from hci_conn_request_evt(), hci_conn_complete_evt(), hci_sync_conn_complete_evt(), le_conn_complete_evt(), hci_le_adv_report_evt(), hci_le_ext_adv_report_evt(), hci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and hci_le_past_received_evt().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Buffer over-read enables kernel memory disclosure (T1005) and crashes for DoS via system exploitation (T1499.004); adjacent Bluetooth attack vector matches no other techniques directly.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-58015Same product: Linux Linux Kernel
CVE-2026-31707Same product: Linux Linux Kernel
CVE-2025-21742Same product: Linux Linux Kernel
CVE-2026-23187Same product: Linux Linux Kernel
CVE-2026-31513Same product: Linux Linux Kernel
CVE-2024-58007Same product: Linux Linux Kernel
CVE-2025-71093Same product: Linux Linux Kernel
CVE-2025-71231Same product: Linux Linux Kernel
CVE-2022-49623Same product: Linux Linux Kernel
CVE-2026-23424Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 5.10 — 6.19.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of kernel flaws like CVE-2026-31771 to eliminate the buffer over-read in Bluetooth HCI event handling.

prevent

Enforces validation of HCI event payloads against minimum lengths before processing to block short frames from reaching bacpy() and causing over-reads.

prevent

Implements kernel memory protections such as bounds checking and randomization to mitigate impacts of buffer over-reads like disclosure or DoS.

References