{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31498", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.103Z", "datePublished": "2026-04-22T13:54:19.714Z", "dateUpdated": "2026-04-22T13:54:19.714Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:19.714Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop\n\nl2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED\nstate to support L2CAP reconfiguration (e.g. MTU changes). However,\nsince both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from\nthe initial configuration, the reconfiguration path falls through to\nl2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and\nretrans_list without freeing the previous allocations and sets\nchan->sdu to NULL without freeing the existing skb. This leaks all\npreviously allocated ERTM resources.\n\nAdditionally, l2cap_parse_conf_req() does not validate the minimum\nvalue of remote_mps derived from the RFC max_pdu_size option. A zero\nvalue propagates to l2cap_segment_sdu() where pdu_len becomes zero,\ncausing the while loop to never terminate since len is never\ndecremented, exhausting all available memory.\n\nFix the double-init by skipping l2cap_ertm_init() and\nl2cap_chan_ready() when the channel is already in BT_CONNECTED state,\nwhile still allowing the reconfiguration parameters to be updated\nthrough l2cap_parse_conf_req(). Also add a pdu_len zero check in\nl2cap_segment_sdu() as a safeguard."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "96298f640104e4cd9a913a6e50b0b981829b94ff", "lessThan": "9760b83cfd24b38caee663f429011a0dd6064fa9", "status": "affected", "versionType": "git"}, {"version": "96298f640104e4cd9a913a6e50b0b981829b94ff", "lessThan": "de37e2655b7abc3f59254c6b72256840f39fc6d5", "status": "affected", "versionType": "git"}, {"version": "96298f640104e4cd9a913a6e50b0b981829b94ff", "lessThan": "e7aab23b7df89a3d754a5f0a7d2237548b328bd0", "status": "affected", "versionType": "git"}, {"version": "96298f640104e4cd9a913a6e50b0b981829b94ff", "lessThan": "52667c859fe33f70c2e711cb81bbd505d5eb8e75", "status": "affected", "versionType": "git"}, {"version": "96298f640104e4cd9a913a6e50b0b981829b94ff", "lessThan": "9a21a631ee034b1573dce14b572a24943dbfd7ae", "status": "affected", "versionType": "git"}, {"version": "96298f640104e4cd9a913a6e50b0b981829b94ff", "lessThan": "900e4db5385ec2cacd372345a80ab9c8e105b3a3", "status": "affected", "versionType": "git"}, {"version": "96298f640104e4cd9a913a6e50b0b981829b94ff", "lessThan": "042e2cd4bb11e5313b19b87593616524949e4c52", "status": "affected", "versionType": "git"}, {"version": "96298f640104e4cd9a913a6e50b0b981829b94ff", "lessThan": "25f420a0d4cfd61d3d23ec4b9c56d9f443d91377", "status": "affected", "versionType": "git"}, {"version": "4ad03ff6f680681c5f78254e37c4c856fa953629", "status": "affected", "versionType": "git"}, {"version": "b7d0ca715c1008acd2fc018f02a56fed88f78b75", "status": "affected", "versionType": "git"}, {"version": "799263eb37a4f7f6d39334046929c3bc92452a7f", "status": "affected", "versionType": "git"}, {"version": "8828622fb9b4201eeb0870587052e3d834cfaf61", "status": "affected", "versionType": "git"}, {"version": "b432ea85ab8472763870dd0f2c186130dd36d68c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.238"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.238"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.200"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.149"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.69"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9"}, {"url": "https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5"}, {"url": "https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0"}, {"url": "https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75"}, {"url": "https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae"}, {"url": "https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3"}, {"url": "https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52"}, {"url": "https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377"}], "title": "Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop\n\nl2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED\nstate to support L2CAP reconfiguration (e.g. MTU changes). However,\nsince both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from\nthe initial configuration, the reconfiguration path falls through to\nl2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and\nretrans_list without freeing the previous allocations and sets\nchan->sdu to NULL without freeing the existing skb. This leaks all\npreviously allocated ERTM resources.\n\nAdditionally, l2cap_parse_conf_req() does not validate the minimum\nvalue of remote_mps derived from the RFC max_pdu_size option. A zero\nvalue propagates to l2cap_segment_sdu() where pdu_len becomes zero,\ncausing the while loop to never terminate since len is never\ndecremented, exhausting all available memory.\n\nFix the double-init by skipping l2cap_ertm_init() and\nl2cap_chan_ready() when the channel is already in BT_CONNECTED state,\nwhile still allowing the reconfiguration parameters to be updated\nthrough l2cap_parse_conf_req(). Also add a pdu_len zero check in\nl2cap_segment_sdu() as a safeguard."}], "id": "CVE-2026-31498", "lastModified": "2026-04-22T14:16:48.067", "metrics": {}, "published": "2026-04-22T14:16:48.067", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop", "id": "2460629", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460629"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-606", "details": ["A flaw was found in the Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) implementation. A remote attacker could exploit this by sending a malformed configuration request with a zero-valued maximum PDU (Protocol Data Unit) size. This could lead to an infinite loop, exhausting system memory and causing a denial of service. Additionally, improper handling of channel reconfiguration could result in memory leaks."], "name": "CVE-2026-31498", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31498\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31498\nhttps://lore.kernel.org/linux-cve-announce/2026042204-CVE-2026-31498-1aee@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96298f640104e4cd9a913a6e50b0b981829b94ff,9760b83cfd24b38caee663f429011a0dd6064fa9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96298f640104e4cd9a913a6e50b0b981829b94ff,de37e2655b7abc3f59254c6b72256840f39fc6d5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96298f640104e4cd9a913a6e50b0b981829b94ff,e7aab23b7df89a3d754a5f0a7d2237548b328bd0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96298f640104e4cd9a913a6e50b0b981829b94ff,52667c859fe33f70c2e711cb81bbd505d5eb8e75)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96298f640104e4cd9a913a6e50b0b981829b94ff,9a21a631ee034b1573dce14b572a24943dbfd7ae)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96298f640104e4cd9a913a6e50b0b981829b94ff,900e4db5385ec2cacd372345a80ab9c8e105b3a3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96298f640104e4cd9a913a6e50b0b981829b94ff,042e2cd4bb11e5313b19b87593616524949e4c52)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96298f640104e4cd9a913a6e50b0b981829b94ff,25f420a0d4cfd61d3d23ec4b9c56d9f443d91377)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "4ad03ff6f680681c5f78254e37c4c856fa953629"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "b7d0ca715c1008acd2fc018f02a56fed88f78b75"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "799263eb37a4f7f6d39334046929c3bc92452a7f"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "8828622fb9b4201eeb0870587052e3d834cfaf61"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "b432ea85ab8472763870dd0f2c186130dd36d68c"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.7"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.10.253,5.10.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.15.203,5.15.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.168,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.131,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.80,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.21,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.11,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:46:44.435828+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that addresses the L2CAP ERTM re\u2011init and zero pdu_len issues.", "Reboot the system or reload the Bluetooth subsystem to load the updated kernel module.", "Restrict or disable Bluetooth L2CAP functionality from unknown or untrusted devices until the patch is in force."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service through memory exhaustion and infinite loop"}, "threat_synthesis": {"affected_systems": "This issue affects the Linux kernel itself, specifically the Bluetooth L2CAP subsystem in all kernel releases that include the affected code paths. The exact kernel versions are not enumerated in the supplied data, but any kernel with the L2CAP reconfiguration logic will be impacted. Since the CNA list lists Linux:Linux, users running any Linux kernel distribution with the stock Bluetooth stack should consider this vulnerability.", "description_and_impact": "The vulnerability originates from the Linux kernel\u2019s Bluetooth L2CAP implementation, where a reconfiguration request on an already connected channel re\u2011initializes ERTM data structures without freeing prior allocations, leading to memory leaks of all previously allocated resources. Additionally, a missing validation of the remote maximum packet size allows a zero value to propagate into the segmentation routine, causing an infinite loop that consumes all available memory. An attacker who can trigger repeated reconfiguration or provide malformed configuration values could exhaust system memory or cause the kernel to hang, resulting in denial of service.", "risk_and_exploitability": "The CVSS score is not provided, and EPSS is not available, so the precise exploitation likelihood cannot be quantified. The vulnerability is listed in the kernel source as a regression fix but is not currently in the CISA KEV catalog. If an attacker can induce the kernel to process a configuration request with a zero remote MPS value, the infinite loop can be triggered, though practical exploitation would require some form of privileged or elevated Bluetooth interaction. The presence of a memory leak adds a secondary persistence risk. Administrators should not assume negligible impact; until the kernel is updated, the system could suffer a denial of service."}}}}, "created": "2026-04-22T17:30:22.455397+00:00", "updated": "2026-04-22T19:00:08.085434+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-322", "CWE-772"]}