CVE-2026-31771

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_event: move wake reason storage into validated event handlers<br /> <br /> hci_store_wake_reason() is called from hci_event_packet() immediately<br /> after stripping the HCI event header but before hci_event_func()<br /> enforces the per-event minimum payload length from hci_ev_table.<br /> This means a short HCI event frame can reach bacpy() before any bounds<br /> check runs.<br /> <br /> Rather than duplicating skb parsing and per-event length checks inside<br /> hci_store_wake_reason(), move wake-address storage into the individual<br /> event handlers after their existing event-length validation has<br /> succeeded. Convert hci_store_wake_reason() into a small helper that only<br /> stores an already-validated bdaddr while the caller holds hci_dev_lock().<br /> Use the same helper after hci_event_func() with a NULL address to<br /> preserve the existing unexpected-wake fallback semantics when no<br /> validated event handler records a wake address.<br /> <br /> Annotate the helper with __must_hold(&amp;hdev-&gt;lock) and add<br /> lockdep_assert_held(&amp;hdev-&gt;lock) so future call paths keep the lock<br /> contract explicit.<br /> <br /> Call the helper from hci_conn_request_evt(), hci_conn_complete_evt(),<br /> hci_sync_conn_complete_evt(), le_conn_complete_evt(),<br /> hci_le_adv_report_evt(), hci_le_ext_adv_report_evt(),<br /> hci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and<br /> hci_le_past_received_evt().