CVE-2026-31497

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: btusb: clamp SCO altsetting table indices<br /> <br /> btusb_work() maps the number of active SCO links to USB alternate<br /> settings through a three-entry lookup table when CVSD traffic uses<br /> transparent voice settings. The lookup currently indexes alts[] with<br /> data-&gt;sco_num - 1 without first constraining sco_num to the number of<br /> available table entries.<br /> <br /> While the table only defines alternate settings for up to three SCO<br /> links, data-&gt;sco_num comes from hci_conn_num() and is used directly.<br /> Cap the lookup to the last table entry before indexing it so the<br /> driver keeps selecting the highest supported alternate setting without<br /> reading past alts[].