CVE-2026-31497

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description In the Bluetooth component, the btusb work() function maps the number of active SCO links to USB alternate settings using a three-entry lookup table when CVSD traffic uses transparent voice settings. The process indexes the alts[] table with the data->sco num variable minus one without first constraining sco num to the number of available table entries. Because data->sco num is derived from hci conn num() and used directly, it can lead to reading past the boundaries of the alts[] table.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.