CVE-2026-31512
EUVD-2026-2489522.04.2026, 14:16
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() l2cap_ecred_data_rcv() reads the SDU length field from skb->data using get_unaligned_le16() without first verifying that skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb. The ERTM reassembly path correctly calls pskb_may_pull() before reading the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the same validation to the Enhanced Credit Based Flow Control data path.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 3.14.1 ≤ 𝑥 < 5.10.253 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.203 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.168 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.131 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.80 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.18.21 |
| linux | linux_kernel | 6.19 ≤ 𝑥 < 6.19.11 |
| linux | linux_kernel | 3.14 |
| linux | linux_kernel | 7.0:rc1 |
| linux | linux_kernel | 7.0:rc2 |
| linux | linux_kernel | 7.0:rc3 |
| linux | linux_kernel | 7.0:rc4 |
| linux | linux_kernel | 7.0:rc5 |
| linux | linux_kernel | 7.0:rc6 |
| linux | linux_kernel | 7.0:rc7 |
𝑥
= Vulnerable software versions
Debian Releases
openSUSE / SLES Releases
openSUSE Product | |||||||
|---|---|---|---|---|---|---|---|
| cluster-md-kmp-default |
| ||||||
| dlm-kmp-default |
| ||||||
| gfs2-kmp-default |
| ||||||
| kernel-64kb |
| ||||||
| kernel-default |
| ||||||
| kernel-default-base |
| ||||||
| kernel-default-man |
| ||||||
| kernel-docs |
| ||||||
| kernel-macros |
| ||||||
| kernel-obs-build |
| ||||||
| kernel-source |
| ||||||
| kernel-syms |
| ||||||
| kernel-zfcpdump |
| ||||||
| ocfs2-kmp-default |
| ||||||
| reiserfs-kmp-default |
|
Vulnerability Media Exposure
References