5.5

CVE-2026-31498

EPSS 0.01%
Veröffentlicht 22.04.2026 14:16:48
Zuletzt bearbeitet 28.04.2026 14:41:39
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop

l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED
state to support L2CAP reconfiguration (e.g. MTU changes). However,
since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from
the initial configuration, the reconfiguration path falls through to
l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and
retrans_list without freeing the previous allocations and sets
chan->sdu to NULL without freeing the existing skb. This leaks all
previously allocated ERTM resources.

Additionally, l2cap_parse_conf_req() does not validate the minimum
value of remote_mps derived from the RFC max_pdu_size option. A zero
value propagates to l2cap_segment_sdu() where pdu_len becomes zero,
causing the while loop to never terminate since len is never
decremented, exhausting all available memory.

Fix the double-init by skipping l2cap_ertm_init() and
l2cap_chan_ready() when the channel is already in BT_CONNECTED state,
while still allowing the reconfiguration parameters to be updated
through l2cap_parse_conf_req(). Also add a pdu_len zero check in
l2cap_segment_sdu() as a safeguard.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 11

NVD 20 VulnDex Vulnerability Enrichment 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 4.4.238 < 4.5

Linux ≫ Linux Kernel Version >= 4.9.238 < 4.10

Linux ≫ Linux Kernel Version >= 4.14.200 < 4.15

Linux ≫ Linux Kernel Version >= 4.19.149 < 4.20

Linux ≫ Linux Kernel Version >= 5.4.69 < 5.5

Linux ≫ Linux Kernel Version >= 5.7.1 < 5.10.253

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.203

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.168

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.131

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.80

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.21

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.11

Linux ≫ Linux Kernel Version5.7 Update-

Linux ≫ Linux Kernel Version7.0 Updaterc1

Linux ≫ Linux Kernel Version7.0 Updaterc2

Linux ≫ Linux Kernel Version7.0 Updaterc3

Linux ≫ Linux Kernel Version7.0 Updaterc4

Linux ≫ Linux Kernel Version7.0 Updaterc5

Linux ≫ Linux Kernel Version7.0 Updaterc6

Linux ≫ Linux Kernel Version7.0 Updaterc7

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.023

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52

Patch

https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377

Patch

https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75

Patch

https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3

Patch

https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9

Patch

https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae

Patch

https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5

Patch

https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-31498

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31498

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31498

EUVD