{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-22T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()",
    "id" : "2460696",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460696"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-1284",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\nl2cap_ecred_data_rcv() reads the SDU length field from skb->data using\nget_unaligned_le16() without first verifying that skb contains at least\nL2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads\npast the valid data in the skb.\nThe ERTM reassembly path correctly calls pskb_may_pull() before reading\nthe SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the\nsame validation to the Enhanced Credit Based Flow Control data path.", "A flaw was found in the Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) component. The l2cap_ecred_data_rcv() function fails to validate the incoming data packet unit (PDU) length before attempting to read the Service Data Unit (SDU) length. This oversight allows an attacker to craft a malicious packet that, when processed, can cause the system to read beyond the allocated buffer, potentially leading to information disclosure or a denial of service." ],
  "statement" : "Upstream mirrors the ERTM `pskb_may_pull()` guard before reading SDU length on the enhanced credit-based data path. Red Hat treats this as a remote-adjacent Bluetooth parser hardening issue. Consume patched kernels; unload `bluetooth` where acceptable.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31512\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31512\nhttps://lore.kernel.org/linux-cve-announce/2026042209-CVE-2026-31512-b386@gregkh/T" ],
  "name" : "CVE-2026-31512",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the bluetooth module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.",
    "lang" : "en:us"
  },
  "csaw" : false
}