Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()

Summary

CVE	CVE-2026-31512
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-22 14:16:50 UTC
Updated	2026-04-22 14:16:50 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() l2cap_ecred_data_rcv() reads the SDU length field from skb->data using get_unaligned_le16() without first verifying that skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb. The ERTM reassembly path correctly calls pskb_may_pull() before reading the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the same validation to the Enhanced Credit Based Flow Control data path.

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected aac23bf636593cc2d67144aed373a46a1a5f76b1 cef09691cfb61f6c91cc27c3d69634f81c8ab949 git	Not specified
CNA	Linux	Linux	affected aac23bf636593cc2d67144aed373a46a1a5f76b1 3340be2bafdcc806f048273ea6d8e82a6597aa1b git	Not specified
CNA	Linux	Linux	affected aac23bf636593cc2d67144aed373a46a1a5f76b1 e47315b84d0eb188772c3ff5cf073cdbdefca6b4 git	Not specified
CNA	Linux	Linux	affected aac23bf636593cc2d67144aed373a46a1a5f76b1 477ad4976072056c348937e94f24583321938df4 git	Not specified
CNA	Linux	Linux	affected aac23bf636593cc2d67144aed373a46a1a5f76b1 40c7f7eea2f4d9cb0b3e924254c8c9053372168f git	Not specified
CNA	Linux	Linux	affected aac23bf636593cc2d67144aed373a46a1a5f76b1 8c96f3bd4ae0802db90630be8e9851827e9c9209 git	Not specified
CNA	Linux	Linux	affected aac23bf636593cc2d67144aed373a46a1a5f76b1 5ad981249be52f5e4e92e0e97b436b569071cb86 git	Not specified
CNA	Linux	Linux	affected aac23bf636593cc2d67144aed373a46a1a5f76b1 c65bd945d1c08c3db756821b6bf9f1c4a77b29c6 git	Not specified
CNA	Linux	Linux	affected 3.14	Not specified
CNA	Linux	Linux	unaffected 3.14 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.253 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.203 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.168 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.131 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.80 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.21 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.11 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/e47315b84d0eb188772c3ff5cf073cdbdefca6b4	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c65bd945d1c08c3db756821b6bf9f1c4a77b29c6	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/40c7f7eea2f4d9cb0b3e924254c8c9053372168f	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/8c96f3bd4ae0802db90630be8e9851827e9c9209	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/5ad981249be52f5e4e92e0e97b436b569071cb86	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/3340be2bafdcc806f048273ea6d8e82a6597aa1b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/cef09691cfb61f6c91cc27c3d69634f81c8ab949	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/477ad4976072056c348937e94f24583321938df4	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.