1. Home
  2. Vulnerabilities
  3. CVE-2026-31393
0.0
NA
CVE-2026-31393
Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
Overview
Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_len >= 5). A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb data. Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (feat_mask and remote_fixed_chan remain zero from kzalloc), so the info timer cleanup and l2cap_conn_start() still run and the connection is not stalled.

Details
INFO

Published Date :

April 3, 2026, 4:16 p.m.

Last Modified :

April 3, 2026, 4:16 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Impact
Affected Products

The following products are affected by CVE-2026-31393 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
Solution
Apply Linux kernel updates to fix out-of-bounds read in Bluetooth L2CAP.
  • Update the Linux kernel.
  • Apply vendor-specific patches.
  • Validate L2CAP payload lengths.
  • Ensure secure default values.
References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-31393.

URL Resource
https://git.kernel.org/stable/c/3b646516cba2ebc4b51a72954903326e7c1e443f
https://git.kernel.org/stable/c/807bd1258453c4c83f6ae9dbc1e7b44860ff40d0
https://git.kernel.org/stable/c/9aeacde4da0f02d42fd968fd32f245828b230171
https://git.kernel.org/stable/c/db2872d054e467810078e2b9f440a5b326a601b2
https://git.kernel.org/stable/c/dd815e6e3918dc75a49aaabac36e4f024d675101
https://git.kernel.org/stable/c/e7ff754e339e3d5ce29aa9f95352d0186df8fbd9
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-31393 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-31393 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-31393 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-31393 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Apr. 03, 2026

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_len >= 5). A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb data. Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (feat_mask and remote_fixed_chan remain zero from kzalloc), so the info timer cleanup and l2cap_conn_start() still run and the connection is not stalled.
    Added Reference https://git.kernel.org/stable/c/3b646516cba2ebc4b51a72954903326e7c1e443f
    Added Reference https://git.kernel.org/stable/c/807bd1258453c4c83f6ae9dbc1e7b44860ff40d0
    Added Reference https://git.kernel.org/stable/c/9aeacde4da0f02d42fd968fd32f245828b230171
    Added Reference https://git.kernel.org/stable/c/db2872d054e467810078e2b9f440a5b326a601b2
    Added Reference https://git.kernel.org/stable/c/dd815e6e3918dc75a49aaabac36e4f024d675101
    Added Reference https://git.kernel.org/stable/c/e7ff754e339e3d5ce29aa9f95352d0186df8fbd9
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
No CVSS metrics available for this vulnerability.