CVE-2026-31513
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd() that is triggered by a malformed Enhanced Credit Based Connection Request.
The vulnerability stems from l2cap_ecred_conn_req(). The function allocates
a local stack buffer (pdu) designed to hold a maximum of 5 Source Channel
IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more
than 5 SCIDs, the function calculates rsp_len based on this unvalidated
cmd_len before checking if the number of SCIDs exceeds
L2CAP_ECRED_MAX_CID.
If the SCID count is too high, the function correctly jumps to the
response label to reject the packet, but rsp_len retains the
attacker's oversized value. Consequently, l2cap_send_cmd() is instructed
to read past the end of the 18-byte pdu buffer, triggering a
KASAN panic.
Fix this by moving the assignment of rsp_len to after the num_scid
boundary check. If the packet is rejected, rsp_len will safely
remain 0, and the error response will only read the 8-byte base header
from the stack.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 935f324e4b2461df2cf7f02b4195082b4304c708 < c8e1a27edb8b4e5afb56b384acd7b6c2dec1b7cc | affected |
| Linux | Linux | e981a9392800ce2c5bca196a6ab2c55e9370efaa < 5b35f8211a913cfe7ab9d54fa36a272d2059a588 | affected |
| Linux | Linux | f3fdf2e7276a3edc5df55454275da20eac186970 < a3d9c50d69785ae02e153f000da1b5fd6dbfdf1b | affected |
| Linux | Linux | c28d2bff70444a85b3b86aaf241ece9408c7858c < 9d87cb22195b2c67405f5485d525190747ad5493 | affected |
| Linux | Linux | 6.12.75 < 6.12.80 | affected |
| Linux | Linux | 6.18.16 < 6.18.21 | affected |
| Linux | Linux | 6.19.6 < 6.19.11 | affected |
Weaknesses
References
- https://git.kernel.org/stable/c/c8e1a27edb8b4e5afb56b384acd7b6c2dec1b7cc
- https://git.kernel.org/stable/c/5b35f8211a913cfe7ab9d54fa36a272d2059a588
- https://git.kernel.org/stable/c/a3d9c50d69785ae02e153f000da1b5fd6dbfdf1b
- https://git.kernel.org/stable/c/9d87cb22195b2c67405f5485d525190747ad5493
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.