CVE-2026-31393

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Validate L2CAPINFORSP payload length before access

l2capinformationrsp() checks that cmdlen covers the fixed l2capinfo_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present:

• L2CAPITFEATMASK calls getunalignedle32(rsp->data), which reads 4 bytes past the header (needs cmdlen >= 8).

• L2CAPITFIXEDCHAN reads rsp->data[0], 1 byte past the header (needs cmdlen >= 5).

A truncated L2CAPINFORSP with result == L2CAPIRSUCCESS triggers an out-of-bounds read of adjacent skb data.

Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (featmask and remotefixedchan remain zero from kzalloc), so the info timer cleanup and l2capconn_start() still run and the connection is not stalled.