CVE-2026-31513

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A stack-out-of-bounds read exists in the Bluetooth L2CAP component. The function l2cap ecred conn req() allocates a local stack buffer pdu to hold up to 5 Source Channel IDs (SCIDs). When a malformed Enhanced Credit Based Connection Request containing more than 5 SCIDs is processed, the function calculates the rsp len variable based on an unvalidated cmd len before verifying if the SCID count exceeds L2CAP ECRED MAX CID. Although the packet is eventually rejected, rsp len retains the oversized value, causing l2cap send cmd() to read beyond the 18-byte pdu buffer, which leads to a KASAN panic. KASAN (Kernel Address Sanitizer) is a dynamic memory error detector for the Linux kernel.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.