A newly published CVE record, CVE-2026-31510, details a critical NULL pointer dereference vulnerability in the Linux kernel's Bluetooth L2CAP implementation. The bug resides in the l2cap_sock_ready_cb function, which can be triggered via a workqueue callback to crash the kernel. The flaw was introduced in kernel version 5.16 and affects all subsequent releases up to the current mainline. Patches are already available in the Linux kernel git repository.

The vulnerability occurs when l2cap_sock_ready_cb accesses the sk (socket) pointer without first verifying it is not NULL. Under specific conditions, a race condition or improper state management can lead to the socket being freed before the callback executes, leaving a dangling or NULL pointer. The result is a kernel panic, potentially allowing an attacker to cause a denial of service (DoS) by sending crafted Bluetooth L2CAP packets.

KASAN (Kernel Address Sanitizer) reports confirm the NULL dereference pattern. The issue was discovered by a security researcher and reported through the Linux kernel security mailing list. The fix involves adding a NULL check before dereferencing the sk pointer in l2cap_sock_ready_cb. The patch, authored by Luiz Augusto von Dentz, has been merged into the Bluetooth subsystem tree and is expected to be included in upcoming stable kernel releases.

Impact and Affected Systems

Any Linux system with Bluetooth enabled and running kernel 5.16 or later is potentially vulnerable. This includes desktop distributions, embedded devices, and servers that utilize Bluetooth connectivity. The vulnerability does not require authentication, but an attacker must be within Bluetooth range to send malicious L2CAP frames.

Mitigation and Patching

Users are strongly advised to apply the kernel patch as soon as it becomes available through their distribution's update channels. For those running custom kernels, the fix can be cherry-picked from the Linux Bluetooth tree commit. As a temporary workaround, disabling Bluetooth or blocking L2CAP connections may reduce exposure, but the only complete mitigation is to patch the kernel.