CVE-2026-31393

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Validate L2CAP INFO RSP payload length before access

l2cap information rsp() checks that cmd len covers the fixed l2cap info rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present:

L2CAP IT FEAT MASK calls get unaligned le32(rsp->data), which reads 4 bytes past the header (needs cmd len >= 8).
L2CAP IT FIXED CHAN reads rsp->data[0], 1 byte past the header (needs cmd len >= 5).

A truncated L2CAP INFO RSP with result == L2CAP IR SUCCESS triggers an out-of-bounds read of adjacent skb data.

Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (feat mask and remote fixed chan remain zero from kzalloc), so the info timer cleanup and l2cap conn start() still run and the connection is not stalled.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2026-31393

Affected Products

Linux

CVE-2026-31393

Related Identifiers

Affected Products

References · 7