CVE-2026-31771

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the Bluetooth component where hci store wake reason() is called within hci event packet() before the per-event minimum payload length is enforced by hci event func(). This allows a short HCI event frame to reach bacpy() before any bounds check is performed. The fix involves moving wake-address storage into individual event handlers after length validation has succeeded and converting hci store wake reason() into a helper function that stores a validated bdaddr while holding the hci dev lock(). This helper is utilized by several functions, including hci conn request evt(), hci conn complete evt(), hci sync conn complete evt(), le conn complete evt(), hci le adv report evt(), hci le ext adv report evt(), hci le direct adv report evt(), hci le pa sync established evt(), and hci le past received evt().

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.