CVE-2026-31393

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access<br /> <br /> l2cap_information_rsp() checks that cmd_len covers the fixed<br /> l2cap_info_rsp header (type + result, 4 bytes) but then reads<br /> rsp-&gt;data without verifying that the payload is present:<br /> <br /> - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp-&gt;data), which reads<br /> 4 bytes past the header (needs cmd_len &gt;= 8).<br /> <br /> - L2CAP_IT_FIXED_CHAN reads rsp-&gt;data[0], 1 byte past the header<br /> (needs cmd_len &gt;= 5).<br /> <br /> A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an<br /> out-of-bounds read of adjacent skb data.<br /> <br /> Guard each data access with the required payload length check. If the<br /> payload is too short, skip the read and let the state machine complete<br /> with safe defaults (feat_mask and remote_fixed_chan remain zero from<br /> kzalloc), so the info timer cleanup and l2cap_conn_start() still run<br /> and the connection is not stalled.