CVE-2026-31513

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req<br /> <br /> Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd()<br /> that is triggered by a malformed Enhanced Credit Based Connection Request.<br /> <br /> The vulnerability stems from l2cap_ecred_conn_req(). The function allocates<br /> a local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel<br /> IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more<br /> than 5 SCIDs, the function calculates `rsp_len` based on this unvalidated<br /> `cmd_len` before checking if the number of SCIDs exceeds<br /> L2CAP_ECRED_MAX_CID.<br /> <br /> If the SCID count is too high, the function correctly jumps to the<br /> `response` label to reject the packet, but `rsp_len` retains the<br /> attacker&amp;#39;s oversized value. Consequently, l2cap_send_cmd() is instructed<br /> to read past the end of the 18-byte `pdu` buffer, triggering a<br /> KASAN panic.<br /> <br /> Fix this by moving the assignment of `rsp_len` to after the `num_scid`<br /> boundary check. If the packet is rejected, `rsp_len` will safely<br /> remain 0, and the error response will only read the 8-byte base header<br /> from the stack.