356 matches found
CVE-2026-31512
Mode C CVE-2026-31512 affects the Linux kernel Bluetooth L2CAP path. The vulnerability arises in l2cap_ecred_data_rcv() where the SDU length is read from skb->data using get_unaligned_le16() without first ensuring skb contains at least 2 bytes (L2CAP_SDULEN_SIZE). If skb->len
CVE-2026-31513 Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2capecredconnreq Syzbot reported a KASAN stack-out-of-bounds read in l2capbuildcmd that is triggered by a malformed Enhanced Credit Based Connection Request. The vulnerability...
CVE-2026-31510
CVE-2026-31510: Linux kernel Bluetooth L2CAP vulnerability due to a null pointer dereference in l2cap_sock_ready_cb. The issue arises because sk is used without verifying it’s non-null, leading to a kernel panic/DoS. Multiple OS advisories (Debian roots, Ubuntu, Red Hat, SUSE, etc.) report the pa...
CVE-2026-31498
Linux kernel CVE-2026-31498 affects Bluetooth L2CAP by exposing memory leaks during reconfiguration (ERTM data structures) and a zero-valued max_pdu_size path that can lead to an infinite loop in l2cap_segment_sdu. Root cause: reconfiguration previously re-initialized ERTM state and NULL’d sdu wi...
Linux Distros Unpatched Vulnerability : CVE-2026-31510
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Bluetooth: L2CAP: Fix null-ptr-deref on l2capsockreadycb Before using sk pointer, check if it is null. Fix the following: KASAN: null-ptr-deref in range...
Linux Distros Unpatched Vulnerability : CVE-2026-31498
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Bluetooth: L2CAP: Fix ERTM re-init and zero pdulen infinite loop l2capconfigreq processes CONFIGREQ for channels in BTCONNECTED state to support L2CAP...
Linux Distros Unpatched Vulnerability : CVE-2026-31499
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Bluetooth: L2CAP: Fix deadlock in l2capconndel l2capconndel calls canceldelayedworksync for both infotimer and idaddrtimer while holding conn-lock. However, the...
PT-2026-34415
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A null pointer dereference exists in the Bluetooth L2CAP component. The issue occurs within the l2cap sock ready cb function when the sk pointer is used without verifying if it is null...
Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013653)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013653 advisory. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix potential user-after-free This fixes all instances of which requires to...
Unity Linux 20.1070e Security Update: kernel (UTSA-2026-013193)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013193 advisory. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2capdisconnectreq,rsp Similar to commit d0be8347c623...
Unity Linux 20.1070e Security Update: kernel (UTSA-2026-013245)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013245 advisory. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix potential user-after-free This fixes all instances of which requires to...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007343)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007343 advisory. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2capsockcreate btsockalloc...
SUSE CVE-2026-23461
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2capunregisteruser After commit ab4eedb790ca "Bluetooth: L2CAP: Fix corrupted list in hcichandel", l2capconndel uses conn-lock to protect access to conn-users. However, l2capregisteruser a...
CVE-2026-23461
A flaw was found in the Linux kernel's Bluetooth L2CAP component. A race condition exists due to inconsistent locking mechanisms when registering and unregistering L2CAP users. This allows concurrent access to shared data structures, leading to use-after-free vulnerabilities and list corruption...
CVE-2026-31393
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAPINFORSP payload length before access l2capinformationrsp checks that cmdlen covers the fixed l2capinforsp header type + result, 4 bytes but then reads rsp-data without verifying that the payload is...
CVE-2026-23461
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2capunregisteruser After commit ab4eedb790ca "Bluetooth: L2CAP: Fix corrupted list in hcichandel", l2capconndel uses conn-lock to protect access to conn-users. However, l2capregisteruser a...
CVE-2026-23461
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2capunregisteruser After commit ab4eedb790ca "Bluetooth: L2CAP: Fix corrupted list in hcichandel", l2capconndel uses conn-lock to protect access to conn-users. However, l2capregisteruser a...
CVE-2026-23461 Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2capunregisteruser After commit ab4eedb790ca "Bluetooth: L2CAP: Fix corrupted list in hcichandel", l2capconndel uses conn-lock to protect access to conn-users. However, l2capregisteruser a...
CVE-2026-23461
CVE-2026-23461: In the Linux kernel Bluetooth L2CAP, l2cap_register_user() and l2cap_unregister_user() did not consistently acquire conn->lock, creating a race with l2cap_conn_del() that can access conn->users and conn->hchan concurrently. This caused use-after-free and list corruption. ...
PT-2026-30155
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A flaw exists in the Linux kernel's Bluetooth L2CAP implementation, specifically within the l2cap unregister user function. A race condition occurs because l2cap register user and l2cap...