{ "threat_severity" : "Moderate", "public_date" : "2026-04-22T00:00:00Z", "bugzilla" : { "description" : "kernel: Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb", "id" : "2460732", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460732" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb\nBefore using sk pointer, check if it is null.\nFix the following:\nKASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267]\nCPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025\nWorkqueue: events l2cap_info_timeout\nRIP: 0010:kasan_byte_accessible+0x12/0x30\nCode: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce\nveth0_macvtap: entered promiscuous mode\nRSP: 0018:ffffc90006e0f808 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001\nRDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000\nR13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005582615a5008 CR3: 000000007007e000 CR4: 0000000000752ef0\nPKRU: 55555554\nCall Trace:\n\n__kasan_check_byte+0x12/0x40\nlock_acquire+0x79/0x2e0\nlock_sock_nested+0x48/0x100\n? l2cap_sock_ready_cb+0x46/0x160\nl2cap_sock_ready_cb+0x46/0x160\nl2cap_conn_start+0x779/0xff0\n? __pfx_l2cap_conn_start+0x10/0x10\n? l2cap_info_timeout+0x60/0xa0\n? __pfx___mutex_lock+0x10/0x10\nl2cap_info_timeout+0x68/0xa0\n? process_scheduled_works+0xa8d/0x18c0\nprocess_scheduled_works+0xb6e/0x18c0\n? __pfx_process_scheduled_works+0x10/0x10\n? assign_work+0x3d5/0x5e0\nworker_thread+0xa53/0xfc0\nkthread+0x388/0x470\n? __pfx_worker_thread+0x10/0x10\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x51e/0xb90\n? __pfx_ret_from_fork+0x10/0x10\nveth1_macvtap: entered promiscuous mode\n? __switch_to+0xc7d/0x1450\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30\n\nModules linked in:\n---[ end trace 0000000000000000 ]---\nbatman_adv: batadv0: Interface activated: batadv_slave_0\nbatman_adv: batadv0: Interface activated: batadv_slave_1\nnetdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0\nnetdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0\nnetdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0\nnetdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0\nRIP: 0010:kasan_byte_accessible+0x12/0x30\nCode: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce\nieee80211 phy39: Selected rate control algorithm 'minstrel_ht'\nRSP: 0018:ffffc90006e0f808 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001\nRDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000\nR13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7e16139e9c CR3: 000000000e74e000 CR4: 0000000000752ef0\nPKRU: 55555554\nKernel panic - not syncing: Fatal exception", "A flaw was found in the Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) module. This vulnerability, a null pointer dereference, occurs in the `l2cap_sock_ready_cb` function because it fails to validate if a pointer is null before attempting to use it. An attacker within Bluetooth range could potentially trigger this flaw, leading to a kernel panic and resulting in a Denial of Service (DoS) for the affected system." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31510\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31510\nhttps://lore.kernel.org/linux-cve-announce/2026042208-CVE-2026-31510-1c90@gregkh/T" ], "name" : "CVE-2026-31510", "csaw" : false }