CVE-2026-31498 - Vulnerability Details

- Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop

l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED
state to support L2CAP reconfiguration (e.g. MTU changes). However,
since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from
the initial configuration, the reconfiguration path falls through to
l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and
retrans_list without freeing the previous allocations and sets
chan->sdu to NULL without freeing the existing skb. This leaks all
previously allocated ERTM resources.

Additionally, l2cap_parse_conf_req() does not validate the minimum
value of remote_mps derived from the RFC max_pdu_size option. A zero
value propagates to l2cap_segment_sdu() where pdu_len becomes zero,
causing the while loop to never terminate since len is never
decremented, exhausting all available memory.

Fix the double-init by skipping l2cap_ertm_init() and
l2cap_chan_ready() when the channel is already in BT_CONNECTED state,
while still allowing the reconfiguration parameters to be updated
through l2cap_parse_conf_req(). Also add a pdu_len zero check in
l2cap_segment_sdu() as a safeguard.

Published: 2026-04-22

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability originates from the Linux kernel’s Bluetooth L2CAP implementation, where a reconfiguration request on an already connected channel re‑initializes ERTM data structures without freeing prior allocations, leading to memory leaks of all previously allocated resources. Additionally, a missing validation of the remote maximum packet size allows a zero value to propagate into the segmentation routine, causing an infinite loop that consumes all available memory. An attacker who can trigger repeated reconfiguration or provide malformed configuration values could exhaust system memory or cause the kernel to hang, resulting in denial of service.

Affected Systems

This issue affects the Linux kernel itself, specifically the Bluetooth L2CAP subsystem in all kernel releases that include the affected code paths. The exact kernel versions are not enumerated in the supplied data, but any kernel with the L2CAP reconfiguration logic will be impacted. Since the CNA list lists Linux:Linux, users running any Linux kernel distribution with the stock Bluetooth stack should consider this vulnerability.

Risk and Exploitability

The CVSS score is not provided, and EPSS is not available, so the precise exploitation likelihood cannot be quantified. The vulnerability is listed in the kernel source as a regression fix but is not currently in the CISA KEV catalog. If an attacker can induce the kernel to process a configuration request with a zero remote MPS value, the infinite loop can be triggered, though practical exploitation would require some form of privileged or elevated Bluetooth interaction. The presence of a memory leak adds a secondary persistence risk. Administrators should not assume negligible impact; until the kernel is updated, the system could suffer a denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`96298f640104e4cd9a913a6e50b0b981829b94ff`	affected	< 9760b83cfd24b38caee663f429011a0dd6064fa9
`96298f640104e4cd9a913a6e50b0b981829b94ff`	affected	< de37e2655b7abc3f59254c6b72256840f39fc6d5
`96298f640104e4cd9a913a6e50b0b981829b94ff`	affected	< e7aab23b7df89a3d754a5f0a7d2237548b328bd0
`96298f640104e4cd9a913a6e50b0b981829b94ff`	affected	< 52667c859fe33f70c2e711cb81bbd505d5eb8e75
`96298f640104e4cd9a913a6e50b0b981829b94ff`	affected	< 9a21a631ee034b1573dce14b572a24943dbfd7ae
`96298f640104e4cd9a913a6e50b0b981829b94ff`	affected	< 900e4db5385ec2cacd372345a80ab9c8e105b3a3
`96298f640104e4cd9a913a6e50b0b981829b94ff`	affected	< 042e2cd4bb11e5313b19b87593616524949e4c52
`96298f640104e4cd9a913a6e50b0b981829b94ff`	affected	< 25f420a0d4cfd61d3d23ec4b9c56d9f443d91377
`4ad03ff6f680681c5f78254e37c4c856fa953629`	affected	—
`b7d0ca715c1008acd2fc018f02a56fed88f78b75`	affected	—
`799263eb37a4f7f6d39334046929c3bc92452a7f`	affected	—
`8828622fb9b4201eeb0870587052e3d834cfaf61`	affected	—
`b432ea85ab8472763870dd0f2c186130dd36d68c`	affected	—

Linux

affected

Version	Status	Constraints
`5.7`	affected	—
`0`	unaffected	< 5.7
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.131`	unaffected	≤ 6.6.*
`6.12.80`	unaffected	≤ 6.12.*
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[96298f640104e4cd9a913a6e50b0b981829b94ff,9760b83cfd24b38caee663f429011a0dd6064fa9)`	affected	code_commit	—
`[96298f640104e4cd9a913a6e50b0b981829b94ff,de37e2655b7abc3f59254c6b72256840f39fc6d5)`	affected	code_commit	—
`[96298f640104e4cd9a913a6e50b0b981829b94ff,e7aab23b7df89a3d754a5f0a7d2237548b328bd0)`	affected	code_commit	—
`[96298f640104e4cd9a913a6e50b0b981829b94ff,52667c859fe33f70c2e711cb81bbd505d5eb8e75)`	affected	code_commit	—
`[96298f640104e4cd9a913a6e50b0b981829b94ff,9a21a631ee034b1573dce14b572a24943dbfd7ae)`	affected	code_commit	—
`[96298f640104e4cd9a913a6e50b0b981829b94ff,900e4db5385ec2cacd372345a80ab9c8e105b3a3)`	affected	code_commit	—
`[96298f640104e4cd9a913a6e50b0b981829b94ff,042e2cd4bb11e5313b19b87593616524949e4c52)`	affected	code_commit	—
`[96298f640104e4cd9a913a6e50b0b981829b94ff,25f420a0d4cfd61d3d23ec4b9c56d9f443d91377)`	affected	code_commit	—
`4ad03ff6f680681c5f78254e37c4c856fa953629`	affected	code_commit	—
`b7d0ca715c1008acd2fc018f02a56fed88f78b75`	affected	code_commit	—
`799263eb37a4f7f6d39334046929c3bc92452a7f`	affected	code_commit	—
`8828622fb9b4201eeb0870587052e3d834cfaf61`	affected	code_commit	—
`b432ea85ab8472763870dd0f2c186130dd36d68c`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.7`	affected	generic	—
`[0,5.7)`	unaffected	generic	—
`[5.10.253,5.10.*]`	unaffected	generic	—
`[5.15.203,5.15.*]`	unaffected	generic	—
`[6.1.168,6.1.*]`	unaffected	generic	—
`[6.6.131,6.6.*]`	unaffected	generic	—
`[6.12.80,6.12.*]`	unaffected	generic	—
`[6.18.21,6.18.*]`	unaffected	generic	—
`[6.19.11,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that addresses the L2CAP ERTM re‑init and zero pdu_len issues.
Reboot the system or reload the Bluetooth subsystem to load the updated kernel module.
Restrict or disable Bluetooth L2CAP functionality from unknown or untrusted devices until the patch is in force.

Generated by OpenCVE AI on April 22, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52
https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377
https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75
https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3
https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9
https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae
https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5
https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0
https://lore.kernel.org/linux-cve-announce/2026042204-CVE-2026-31498-1aee@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31498
https://www.cve.org/CVERecord?id=CVE-2026-31498

History

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-606
References		https://lore.kernel.org/linux-cve-announce/2026042204-CVE-2026-31498-1aee@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31498 https://www.cve.org/CVERecord?id=CVE-2026-31498
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 22 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-322 CWE-772

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED state to support L2CAP reconfiguration (e.g. MTU changes). However, since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from the initial configuration, the reconfiguration path falls through to l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and retrans_list without freeing the previous allocations and sets chan->sdu to NULL without freeing the existing skb. This leaks all previously allocated ERTM resources. Additionally, l2cap_parse_conf_req() does not validate the minimum value of remote_mps derived from the RFC max_pdu_size option. A zero value propagates to l2cap_segment_sdu() where pdu_len becomes zero, causing the while loop to never terminate since len is never decremented, exhausting all available memory. Fix the double-init by skipping l2cap_ertm_init() and l2cap_chan_ready() when the channel is already in BT_CONNECTED state, while still allowing the reconfiguration parameters to be updated through l2cap_parse_conf_req(). Also add a pdu_len zero check in l2cap_segment_sdu() as a safeguard.
Title		Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52 https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377 https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75 https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3 https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9 https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5 https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:54:19.714Z

Updated: 2026-04-22T13:54:19.714Z

Reserved: 2026-03-09T15:48:24.103Z

Link: CVE-2026-31498

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:16:48.067

Modified: 2026-04-23T16:17:41.280

Link: CVE-2026-31498

Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31498 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T19:00:08Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object