{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31497", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.102Z", "datePublished": "2026-04-22T13:54:19.051Z", "dateUpdated": "2026-04-22T13:54:19.051Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:19.051Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: clamp SCO altsetting table indices\n\nbtusb_work() maps the number of active SCO links to USB alternate\nsettings through a three-entry lookup table when CVSD traffic uses\ntransparent voice settings. The lookup currently indexes alts[] with\ndata->sco_num - 1 without first constraining sco_num to the number of\navailable table entries.\n\nWhile the table only defines alternate settings for up to three SCO\nlinks, data->sco_num comes from hci_conn_num() and is used directly.\nCap the lookup to the last table entry before indexing it so the\ndriver keeps selecting the highest supported alternate setting without\nreading past alts[]."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bluetooth/btusb.c"], "versions": [{"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "312c4450fe23014665c163f480edd5ad2e27bbb8", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "9dd13a8641de79bc1bc93da55cdd35259a002683", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "476c9262b430c38c6a701a3b8176a3f48689085b", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "6fba3c3d48c927e55611a0f5ea34da88138ed0ff", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "834cf890d2c3d29cbfa1ee2376c40469c28ec297", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "1019028eb124564cf7bca58a16f1df8a1ca30726", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "21c254202f9d78abe0fcd642a92966deb92bd226", "status": "affected", "versionType": "git"}, {"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626", "lessThan": "129fa608b6ad08b8ab7178eeb2ec272c993aaccc", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bluetooth/btusb.c"], "versions": [{"version": "5.8", "status": "affected"}, {"version": "0", "lessThan": "5.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/312c4450fe23014665c163f480edd5ad2e27bbb8"}, {"url": "https://git.kernel.org/stable/c/9dd13a8641de79bc1bc93da55cdd35259a002683"}, {"url": "https://git.kernel.org/stable/c/476c9262b430c38c6a701a3b8176a3f48689085b"}, {"url": "https://git.kernel.org/stable/c/6fba3c3d48c927e55611a0f5ea34da88138ed0ff"}, {"url": "https://git.kernel.org/stable/c/834cf890d2c3d29cbfa1ee2376c40469c28ec297"}, {"url": "https://git.kernel.org/stable/c/1019028eb124564cf7bca58a16f1df8a1ca30726"}, {"url": "https://git.kernel.org/stable/c/21c254202f9d78abe0fcd642a92966deb92bd226"}, {"url": "https://git.kernel.org/stable/c/129fa608b6ad08b8ab7178eeb2ec272c993aaccc"}], "title": "Bluetooth: btusb: clamp SCO altsetting table indices", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: clamp SCO altsetting table indices\n\nbtusb_work() maps the number of active SCO links to USB alternate\nsettings through a three-entry lookup table when CVSD traffic uses\ntransparent voice settings. The lookup currently indexes alts[] with\ndata->sco_num - 1 without first constraining sco_num to the number of\navailable table entries.\n\nWhile the table only defines alternate settings for up to three SCO\nlinks, data->sco_num comes from hci_conn_num() and is used directly.\nCap the lookup to the last table entry before indexing it so the\ndriver keeps selecting the highest supported alternate setting without\nreading past alts[]."}], "id": "CVE-2026-31497", "lastModified": "2026-04-22T14:16:47.857", "metrics": {}, "published": "2026-04-22T14:16:47.857", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1019028eb124564cf7bca58a16f1df8a1ca30726"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/129fa608b6ad08b8ab7178eeb2ec272c993aaccc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/21c254202f9d78abe0fcd642a92966deb92bd226"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/312c4450fe23014665c163f480edd5ad2e27bbb8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/476c9262b430c38c6a701a3b8176a3f48689085b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6fba3c3d48c927e55611a0f5ea34da88138ed0ff"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/834cf890d2c3d29cbfa1ee2376c40469c28ec297"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9dd13a8641de79bc1bc93da55cdd35259a002683"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,312c4450fe23014665c163f480edd5ad2e27bbb8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,9dd13a8641de79bc1bc93da55cdd35259a002683)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,476c9262b430c38c6a701a3b8176a3f48689085b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,6fba3c3d48c927e55611a0f5ea34da88138ed0ff)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,834cf890d2c3d29cbfa1ee2376c40469c28ec297)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,1019028eb124564cf7bca58a16f1df8a1ca30726)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,21c254202f9d78abe0fcd642a92966deb92bd226)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[baac6276c0a9f36f1fe1f00590ef00d2ba5ba626,129fa608b6ad08b8ab7178eeb2ec272c993aaccc)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.8"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.8)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,6.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,6.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:47:07.730846+00:00", "value": {"mitigation_remediation": ["Check your distribution\u2019s security advisories and install the latest Linux kernel update that contains the btusb patch.", "If a kernel update cannot be applied immediately, disable platform Bluetooth services or unload the btusb module to prevent the vulnerability from being exercised.", "Configure the system to block or limit creation of SCO links while using a patched kernel to reduce the risk of accidental overflow from legitimate devices."], "summary": {"action": "Apply Patch", "impact": "Out-of-bounds array indexing in the btusb driver that can trigger a kernel crash or expose kernel data"}, "threat_synthesis": {"affected_systems": "All Linux kernel variants that ship the buggy btusb driver are affected. The problem exists before the patch was released; no specific version list is provided.", "description_and_impact": "The Linux kernel Bluetooth driver btusb maps active SCO links to USB alternate settings via a small lookup table. When the number of active SCO links exceeds the size of that table, the code indexes beyond the array bounds without validation. This can lead to incorrect memory reads or, if an attacker supplies specially crafted input, a crash of the kernel, potentially allowing information disclosure or denial of service.", "risk_and_exploitability": "The advisory does not provide a CVSS score or EPSS value, but the lack of bounds checks makes the bug stable and exploitable. The likely attack vector is remote via Bluetooth: an attacker can connect a rogue device that initiates many SCO links to trigger the fault. The resulting kernel crash would render the system unavailable and could expose kernel memory contents."}}}}, "created": "2026-04-22T19:00:08.089054+00:00", "updated": "2026-04-22T19:45:25.064723+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-122"]}