CVE-2026-31771
Published: 01 May 2026
Summary
CVE-2026-31771 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31771 is a vulnerability in the Linux kernel's Bluetooth subsystem, specifically in the HCI event handling code. The issue arises because the hci_store_wake_reason() function is invoked from hci_event_packet() immediately after stripping the HCI event header but before hci_event_func() performs per-event minimum payload length checks defined in hci_ev_table. This allows a short HCI event frame to reach bacpy() without prior bounds validation, potentially leading to a buffer over-read.
An adjacent network attacker within Bluetooth range can exploit this vulnerability with low attack complexity, requiring no privileges or user interaction. Successful exploitation results in high confidentiality and availability impacts, enabling information disclosure through out-of-bounds reads and denial-of-service via kernel crashes, while integrity remains unaffected.
Mitigation involves applying kernel patches from the stable repository, such as commit 2b2bf47cd75518c36fa2d41380e4a40641cc89cd and 86c8d07a64d553c41e213b52650020010f9ef23e. These patches relocate wake-address storage to individual validated event handlers like hci_conn_request_evt() and le_conn_complete_evt() after length checks succeed, refactor hci_store_wake_reason() as a lock-protected helper, and add lockdep assertions to enforce the lock contract.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26584
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: move wake reason storage into validated event handlers hci_store_wake_reason() is called from hci_event_packet() immediately after stripping the HCI event header but before hci_event_func() enforces the per-event minimum payload…
more
length from hci_ev_table. This means a short HCI event frame can reach bacpy() before any bounds check runs. Rather than duplicating skb parsing and per-event length checks inside hci_store_wake_reason(), move wake-address storage into the individual event handlers after their existing event-length validation has succeeded. Convert hci_store_wake_reason() into a small helper that only stores an already-validated bdaddr while the caller holds hci_dev_lock(). Use the same helper after hci_event_func() with a NULL address to preserve the existing unexpected-wake fallback semantics when no validated event handler records a wake address. Annotate the helper with __must_hold(&hdev->lock) and add lockdep_assert_held(&hdev->lock) so future call paths keep the lock contract explicit. Call the helper from hci_conn_request_evt(), hci_conn_complete_evt(), hci_sync_conn_complete_evt(), le_conn_complete_evt(), hci_le_adv_report_evt(), hci_le_ext_adv_report_evt(), hci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and hci_le_past_received_evt().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer over-read enables kernel memory disclosure (T1005) and crashes for DoS via system exploitation (T1499.004); adjacent Bluetooth attack vector matches no other techniques directly.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and patching of kernel flaws like CVE-2026-31771 to eliminate the buffer over-read in Bluetooth HCI event handling.
Enforces validation of HCI event payloads against minimum lengths before processing to block short frames from reaching bacpy() and causing over-reads.
Implements kernel memory protections such as bounds checking and randomization to mitigate impacts of buffer over-reads like disclosure or DoS.