Linux Kernel Bluetooth L2CAP ERTM Reinit & Zero PDU Len DoS
CVE-2026-31498 Published on April 22, 2026
Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED
state to support L2CAP reconfiguration (e.g. MTU changes). However,
since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from
the initial configuration, the reconfiguration path falls through to
l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and
retrans_list without freeing the previous allocations and sets
chan->sdu to NULL without freeing the existing skb. This leaks all
previously allocated ERTM resources.
Additionally, l2cap_parse_conf_req() does not validate the minimum
value of remote_mps derived from the RFC max_pdu_size option. A zero
value propagates to l2cap_segment_sdu() where pdu_len becomes zero,
causing the while loop to never terminate since len is never
decremented, exhausting all available memory.
Fix the double-init by skipping l2cap_ertm_init() and
l2cap_chan_ready() when the channel is already in BT_CONNECTED state,
while still allowing the reconfiguration parameters to be updated
through l2cap_parse_conf_req(). Also add a pdu_len zero check in
l2cap_segment_sdu() as a safeguard.
Products Associated with CVE-2026-31498
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 96298f640104e4cd9a913a6e50b0b981829b94ff and below 9760b83cfd24b38caee663f429011a0dd6064fa9 is affected.
- Version 96298f640104e4cd9a913a6e50b0b981829b94ff and below de37e2655b7abc3f59254c6b72256840f39fc6d5 is affected.
- Version 96298f640104e4cd9a913a6e50b0b981829b94ff and below e7aab23b7df89a3d754a5f0a7d2237548b328bd0 is affected.
- Version 96298f640104e4cd9a913a6e50b0b981829b94ff and below 52667c859fe33f70c2e711cb81bbd505d5eb8e75 is affected.
- Version 96298f640104e4cd9a913a6e50b0b981829b94ff and below 9a21a631ee034b1573dce14b572a24943dbfd7ae is affected.
- Version 96298f640104e4cd9a913a6e50b0b981829b94ff and below 900e4db5385ec2cacd372345a80ab9c8e105b3a3 is affected.
- Version 96298f640104e4cd9a913a6e50b0b981829b94ff and below 042e2cd4bb11e5313b19b87593616524949e4c52 is affected.
- Version 96298f640104e4cd9a913a6e50b0b981829b94ff and below 25f420a0d4cfd61d3d23ec4b9c56d9f443d91377 is affected.
- Version 4ad03ff6f680681c5f78254e37c4c856fa953629 is affected.
- Version b7d0ca715c1008acd2fc018f02a56fed88f78b75 is affected.
- Version 799263eb37a4f7f6d39334046929c3bc92452a7f is affected.
- Version 8828622fb9b4201eeb0870587052e3d834cfaf61 is affected.
- Version b432ea85ab8472763870dd0f2c186130dd36d68c is affected.
- Version 5.7 is affected.
- Before 5.7 is unaffected.
- Version 5.10.253, <= 5.10.* is unaffected.
- Version 5.15.203, <= 5.15.* is unaffected.
- Version 6.1.168, <= 6.1.* is unaffected.
- Version 6.6.131, <= 6.6.* is unaffected.
- Version 6.12.80, <= 6.12.* is unaffected.
- Version 6.18.21, <= 6.18.* is unaffected.
- Version 6.19.11, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.