{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31512", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.107Z", "datePublished": "2026-04-22T13:54:30.171Z", "dateUpdated": "2026-04-22T13:54:30.171Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:30.171Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n\nl2cap_ecred_data_rcv() reads the SDU length field from skb->data using\nget_unaligned_le16() without first verifying that skb contains at least\nL2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads\npast the valid data in the skb.\n\nThe ERTM reassembly path correctly calls pskb_may_pull() before reading\nthe SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the\nsame validation to the Enhanced Credit Based Flow Control data path."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "cef09691cfb61f6c91cc27c3d69634f81c8ab949", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "3340be2bafdcc806f048273ea6d8e82a6597aa1b", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "e47315b84d0eb188772c3ff5cf073cdbdefca6b4", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "477ad4976072056c348937e94f24583321938df4", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "40c7f7eea2f4d9cb0b3e924254c8c9053372168f", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "8c96f3bd4ae0802db90630be8e9851827e9c9209", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "5ad981249be52f5e4e92e0e97b436b569071cb86", "status": "affected", "versionType": "git"}, {"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1", "lessThan": "c65bd945d1c08c3db756821b6bf9f1c4a77b29c6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "3.14", "status": "affected"}, {"version": "0", "lessThan": "3.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cef09691cfb61f6c91cc27c3d69634f81c8ab949"}, {"url": "https://git.kernel.org/stable/c/3340be2bafdcc806f048273ea6d8e82a6597aa1b"}, {"url": "https://git.kernel.org/stable/c/e47315b84d0eb188772c3ff5cf073cdbdefca6b4"}, {"url": "https://git.kernel.org/stable/c/477ad4976072056c348937e94f24583321938df4"}, {"url": "https://git.kernel.org/stable/c/40c7f7eea2f4d9cb0b3e924254c8c9053372168f"}, {"url": "https://git.kernel.org/stable/c/8c96f3bd4ae0802db90630be8e9851827e9c9209"}, {"url": "https://git.kernel.org/stable/c/5ad981249be52f5e4e92e0e97b436b569071cb86"}, {"url": "https://git.kernel.org/stable/c/c65bd945d1c08c3db756821b6bf9f1c4a77b29c6"}], "title": "Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n\nl2cap_ecred_data_rcv() reads the SDU length field from skb->data using\nget_unaligned_le16() without first verifying that skb contains at least\nL2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads\npast the valid data in the skb.\n\nThe ERTM reassembly path correctly calls pskb_may_pull() before reading\nthe SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the\nsame validation to the Enhanced Credit Based Flow Control data path."}], "id": "CVE-2026-31512", "lastModified": "2026-04-22T14:16:50.490", "metrics": {}, "published": "2026-04-22T14:16:50.490", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3340be2bafdcc806f048273ea6d8e82a6597aa1b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/40c7f7eea2f4d9cb0b3e924254c8c9053372168f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/477ad4976072056c348937e94f24583321938df4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5ad981249be52f5e4e92e0e97b436b569071cb86"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8c96f3bd4ae0802db90630be8e9851827e9c9209"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c65bd945d1c08c3db756821b6bf9f1c4a77b29c6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cef09691cfb61f6c91cc27c3d69634f81c8ab949"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e47315b84d0eb188772c3ff5cf073cdbdefca6b4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}