{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31498","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.103Z","datePublished":"2026-04-22T13:54:19.714Z","dateUpdated":"2026-05-11T22:09:54.185Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:09:54.185Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop\n\nl2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED\nstate to support L2CAP reconfiguration (e.g. MTU changes). However,\nsince both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from\nthe initial configuration, the reconfiguration path falls through to\nl2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and\nretrans_list without freeing the previous allocations and sets\nchan->sdu to NULL without freeing the existing skb. This leaks all\npreviously allocated ERTM resources.\n\nAdditionally, l2cap_parse_conf_req() does not validate the minimum\nvalue of remote_mps derived from the RFC max_pdu_size option. A zero\nvalue propagates to l2cap_segment_sdu() where pdu_len becomes zero,\ncausing the while loop to never terminate since len is never\ndecremented, exhausting all available memory.\n\nFix the double-init by skipping l2cap_ertm_init() and\nl2cap_chan_ready() when the channel is already in BT_CONNECTED state,\nwhile still allowing the reconfiguration parameters to be updated\nthrough l2cap_parse_conf_req(). Also add a pdu_len zero check in\nl2cap_segment_sdu() as a safeguard."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/l2cap_core.c"],"versions":[{"version":"96298f640104e4cd9a913a6e50b0b981829b94ff","lessThan":"9760b83cfd24b38caee663f429011a0dd6064fa9","status":"affected","versionType":"git"},{"version":"96298f640104e4cd9a913a6e50b0b981829b94ff","lessThan":"de37e2655b7abc3f59254c6b72256840f39fc6d5","status":"affected","versionType":"git"},{"version":"96298f640104e4cd9a913a6e50b0b981829b94ff","lessThan":"e7aab23b7df89a3d754a5f0a7d2237548b328bd0","status":"affected","versionType":"git"},{"version":"96298f640104e4cd9a913a6e50b0b981829b94ff","lessThan":"52667c859fe33f70c2e711cb81bbd505d5eb8e75","status":"affected","versionType":"git"},{"version":"96298f640104e4cd9a913a6e50b0b981829b94ff","lessThan":"9a21a631ee034b1573dce14b572a24943dbfd7ae","status":"affected","versionType":"git"},{"version":"96298f640104e4cd9a913a6e50b0b981829b94ff","lessThan":"900e4db5385ec2cacd372345a80ab9c8e105b3a3","status":"affected","versionType":"git"},{"version":"96298f640104e4cd9a913a6e50b0b981829b94ff","lessThan":"042e2cd4bb11e5313b19b87593616524949e4c52","status":"affected","versionType":"git"},{"version":"96298f640104e4cd9a913a6e50b0b981829b94ff","lessThan":"25f420a0d4cfd61d3d23ec4b9c56d9f443d91377","status":"affected","versionType":"git"},{"version":"4ad03ff6f680681c5f78254e37c4c856fa953629","status":"affected","versionType":"git"},{"version":"b7d0ca715c1008acd2fc018f02a56fed88f78b75","status":"affected","versionType":"git"},{"version":"799263eb37a4f7f6d39334046929c3bc92452a7f","status":"affected","versionType":"git"},{"version":"8828622fb9b4201eeb0870587052e3d834cfaf61","status":"affected","versionType":"git"},{"version":"b432ea85ab8472763870dd0f2c186130dd36d68c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/l2cap_core.c"],"versions":[{"version":"5.7","status":"affected"},{"version":"0","lessThan":"5.7","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.168","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.131","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.1.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.6.131"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.12.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.18.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.19.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"7.0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.238"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.238"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.200"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.149"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.69"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9"},{"url":"https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5"},{"url":"https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0"},{"url":"https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75"},{"url":"https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae"},{"url":"https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3"},{"url":"https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52"},{"url":"https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377"}],"title":"Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop","x_generator":{"engine":"bippy-1.2.0"}}}}