CVE-2026-31498

EUVD-2026-24872

22.04.2026, 14:16

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop

l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED
state to support L2CAP reconfiguration (e.g. MTU changes). However,
since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from
the initial configuration, the reconfiguration path falls through to
l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and
retrans_list without freeing the previous allocations and sets
chan->sdu to NULL without freeing the existing skb. This leaks all
previously allocated ERTM resources.

Additionally, l2cap_parse_conf_req() does not validate the minimum
value of remote_mps derived from the RFC max_pdu_size option. A zero
value propagates to l2cap_segment_sdu() where pdu_len becomes zero,
causing the while loop to never terminate since len is never
decremented, exhausting all available memory.

Fix the double-init by skipping l2cap_ertm_init() and
l2cap_chan_ready() when the channel is already in BT_CONNECTED state,
while still allowing the reconfiguration parameters to be updated
through l2cap_parse_conf_req(). Also add a pdu_len zero check in
l2cap_segment_sdu() as a safeguard.

Infinite Loop

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	4.4.238 ≤ 𝑥 < 4.5
linux	linux_kernel	4.9.238 ≤ 𝑥 < 4.10
linux	linux_kernel	4.14.200 ≤ 𝑥 < 4.15
linux	linux_kernel	4.19.149 ≤ 𝑥 < 4.20
linux	linux_kernel	5.4.69 ≤ 𝑥 < 5.5
linux	linux_kernel	5.7.1 ≤ 𝑥 < 5.10.253
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.203
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.168
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.131
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.80
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.21
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.11
linux	linux_kernel	5.7
linux	linux_kernel	7.0:rc1
linux	linux_kernel	7.0:rc2
linux	linux_kernel	7.0:rc3
linux	linux_kernel	7.0:rc4
linux	linux_kernel	7.0:rc5
linux	linux_kernel	7.0:rc6
linux	linux_kernel	7.0:rc7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	vulnerable
bullseye (security)	5.10.257-1 fixed
forky	7.0.10-1 fixed
sid	7.0.10-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.90-2 fixed

linux-6.1

bullseye (security)

6.1.174-1~deb11u1

fixed

Common Weakness Enumeration

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen, Sicherheitsmaßnahmen zu umgehen, Informationen offenzulegen, andere nicht näher spezifizierte Auswirkungen zu verursachen und möglicherweise Code auszuführen.
Published: 2026-04-22T22:00:00+00:00

References

https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52

https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377

https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75

https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3

https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9

https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae

https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5

https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0