{"api_version":"1","generated_at":"2026-04-23T02:24:50+00:00","cve":"CVE-2026-31498","urls":{"html":"https://cve.report/CVE-2026-31498","api":"https://cve.report/api/cve/CVE-2026-31498.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31498","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31498"},"summary":{"title":"Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop\n\nl2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED\nstate to support L2CAP reconfiguration (e.g. MTU changes). However,\nsince both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from\nthe initial configuration, the reconfiguration path falls through to\nl2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and\nretrans_list without freeing the previous allocations and sets\nchan->sdu to NULL without freeing the existing skb. This leaks all\npreviously allocated ERTM resources.\n\nAdditionally, l2cap_parse_conf_req() does not validate the minimum\nvalue of remote_mps derived from the RFC max_pdu_size option. A zero\nvalue propagates to l2cap_segment_sdu() where pdu_len becomes zero,\ncausing the while loop to never terminate since len is never\ndecremented, exhausting all available memory.\n\nFix the double-init by skipping l2cap_ertm_init() and\nl2cap_chan_ready() when the channel is already in BT_CONNECTED state,\nwhile still allowing the reconfiguration parameters to be updated\nthrough l2cap_parse_conf_req(). Also add a pdu_len zero check in\nl2cap_segment_sdu() as a safeguard.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-22 14:16:48","updated_at":"2026-04-22 14:16:48"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377","name":"https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3","name":"https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5","name":"https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9","name":"https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52","name":"https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae","name":"https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0","name":"https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75","name":"https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31498","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31498","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 96298f640104e4cd9a913a6e50b0b981829b94ff 9760b83cfd24b38caee663f429011a0dd6064fa9 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 96298f640104e4cd9a913a6e50b0b981829b94ff de37e2655b7abc3f59254c6b72256840f39fc6d5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 96298f640104e4cd9a913a6e50b0b981829b94ff e7aab23b7df89a3d754a5f0a7d2237548b328bd0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 96298f640104e4cd9a913a6e50b0b981829b94ff 52667c859fe33f70c2e711cb81bbd505d5eb8e75 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 96298f640104e4cd9a913a6e50b0b981829b94ff 9a21a631ee034b1573dce14b572a24943dbfd7ae git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 96298f640104e4cd9a913a6e50b0b981829b94ff 900e4db5385ec2cacd372345a80ab9c8e105b3a3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 96298f640104e4cd9a913a6e50b0b981829b94ff 042e2cd4bb11e5313b19b87593616524949e4c52 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 96298f640104e4cd9a913a6e50b0b981829b94ff 25f420a0d4cfd61d3d23ec4b9c56d9f443d91377 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4ad03ff6f680681c5f78254e37c4c856fa953629 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b7d0ca715c1008acd2fc018f02a56fed88f78b75 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 799263eb37a4f7f6d39334046929c3bc92452a7f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8828622fb9b4201eeb0870587052e3d834cfaf61 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b432ea85ab8472763870dd0f2c186130dd36d68c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.7","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.7 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.253 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.168 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.131 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.80 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.21 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.11 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/bluetooth/l2cap_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"9760b83cfd24b38caee663f429011a0dd6064fa9","status":"affected","version":"96298f640104e4cd9a913a6e50b0b981829b94ff","versionType":"git"},{"lessThan":"de37e2655b7abc3f59254c6b72256840f39fc6d5","status":"affected","version":"96298f640104e4cd9a913a6e50b0b981829b94ff","versionType":"git"},{"lessThan":"e7aab23b7df89a3d754a5f0a7d2237548b328bd0","status":"affected","version":"96298f640104e4cd9a913a6e50b0b981829b94ff","versionType":"git"},{"lessThan":"52667c859fe33f70c2e711cb81bbd505d5eb8e75","status":"affected","version":"96298f640104e4cd9a913a6e50b0b981829b94ff","versionType":"git"},{"lessThan":"9a21a631ee034b1573dce14b572a24943dbfd7ae","status":"affected","version":"96298f640104e4cd9a913a6e50b0b981829b94ff","versionType":"git"},{"lessThan":"900e4db5385ec2cacd372345a80ab9c8e105b3a3","status":"affected","version":"96298f640104e4cd9a913a6e50b0b981829b94ff","versionType":"git"},{"lessThan":"042e2cd4bb11e5313b19b87593616524949e4c52","status":"affected","version":"96298f640104e4cd9a913a6e50b0b981829b94ff","versionType":"git"},{"lessThan":"25f420a0d4cfd61d3d23ec4b9c56d9f443d91377","status":"affected","version":"96298f640104e4cd9a913a6e50b0b981829b94ff","versionType":"git"},{"status":"affected","version":"4ad03ff6f680681c5f78254e37c4c856fa953629","versionType":"git"},{"status":"affected","version":"b7d0ca715c1008acd2fc018f02a56fed88f78b75","versionType":"git"},{"status":"affected","version":"799263eb37a4f7f6d39334046929c3bc92452a7f","versionType":"git"},{"status":"affected","version":"8828622fb9b4201eeb0870587052e3d834cfaf61","versionType":"git"},{"status":"affected","version":"b432ea85ab8472763870dd0f2c186130dd36d68c","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/bluetooth/l2cap_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.7"},{"lessThan":"5.7","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.253","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.168","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.131","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.80","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.21","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.11","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.253","versionStartIncluding":"5.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"5.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.168","versionStartIncluding":"5.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.131","versionStartIncluding":"5.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.80","versionStartIncluding":"5.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.21","versionStartIncluding":"5.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.11","versionStartIncluding":"5.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"5.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.238","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.238","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.200","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.149","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.69","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop\n\nl2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED\nstate to support L2CAP reconfiguration (e.g. MTU changes). However,\nsince both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from\nthe initial configuration, the reconfiguration path falls through to\nl2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and\nretrans_list without freeing the previous allocations and sets\nchan->sdu to NULL without freeing the existing skb. This leaks all\npreviously allocated ERTM resources.\n\nAdditionally, l2cap_parse_conf_req() does not validate the minimum\nvalue of remote_mps derived from the RFC max_pdu_size option. A zero\nvalue propagates to l2cap_segment_sdu() where pdu_len becomes zero,\ncausing the while loop to never terminate since len is never\ndecremented, exhausting all available memory.\n\nFix the double-init by skipping l2cap_ertm_init() and\nl2cap_chan_ready() when the channel is already in BT_CONNECTED state,\nwhile still allowing the reconfiguration parameters to be updated\nthrough l2cap_parse_conf_req(). Also add a pdu_len zero check in\nl2cap_segment_sdu() as a safeguard."}],"providerMetadata":{"dateUpdated":"2026-04-22T13:54:19.714Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9"},{"url":"https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5"},{"url":"https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0"},{"url":"https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75"},{"url":"https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae"},{"url":"https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3"},{"url":"https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52"},{"url":"https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377"}],"title":"Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31498","datePublished":"2026-04-22T13:54:19.714Z","dateReserved":"2026-03-09T15:48:24.103Z","dateUpdated":"2026-04-22T13:54:19.714Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-22 14:16:48","lastModifiedDate":"2026-04-22 14:16:48","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31498","Ordinal":"1","Title":"Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loo","CVE":"CVE-2026-31498","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31498","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop\n\nl2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED\nstate to support L2CAP reconfiguration (e.g. MTU changes). However,\nsince both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from\nthe initial configuration, the reconfiguration path falls through to\nl2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and\nretrans_list without freeing the previous allocations and sets\nchan->sdu to NULL without freeing the existing skb. This leaks all\npreviously allocated ERTM resources.\n\nAdditionally, l2cap_parse_conf_req() does not validate the minimum\nvalue of remote_mps derived from the RFC max_pdu_size option. A zero\nvalue propagates to l2cap_segment_sdu() where pdu_len becomes zero,\ncausing the while loop to never terminate since len is never\ndecremented, exhausting all available memory.\n\nFix the double-init by skipping l2cap_ertm_init() and\nl2cap_chan_ready() when the channel is already in BT_CONNECTED state,\nwhile still allowing the reconfiguration parameters to be updated\nthrough l2cap_parse_conf_req(). Also add a pdu_len zero check in\nl2cap_segment_sdu() as a safeguard.","Type":"Description","Title":"Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loo"}]}}}