CVE-2026-31393Improper Handling of Length Parameter Inconsistency in Linux

CWE-130Improper Handling of Length Parameter Inconsistency6 documents6 sources
Severity
4.7MEDIUM
No vector
EPSS
0.0%
top 90.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedApr 3

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the hea

Affected Packages3 packages

Debianlinux/linux_kernel< 6.19.10-1
CVEListV5linux/linux4e8402a3f884427f9233ba436459c158d1f2e1143b646516cba2ebc4b51a72954903326e7c1e443f+6
debiandebian/linux< linux 6.19.10-1 (forky)

🔴Vulnerability Details

2
OSV
CVE-2026-31393: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_infor2026-04-03
GHSA
GHSA-cpmg-r9cr-q8pj: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_inf2026-04-03

📋Vendor Advisories

2
Red Hat
kernel: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access2026-04-03
Debian
CVE-2026-31393: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-31393 Impact, Exploitability, and Mitigation Steps | Wiz