# CVE-2026-31498

> Vulnerability · severity: **MEDIUM** (CVSS 5.5).

## Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop

l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED
state to support L2CAP reconfiguration (e.g. MTU changes). However,
since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from
the initial configuration, the reconfiguration path falls through to
l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and
retrans_list without freeing the previous allocations and sets
chan->sdu to NULL without freeing the existing skb. This leaks all
previously allocated ERTM resources.

Additionally, l2cap_parse_conf_req() does not validate the minimum
value of remote_mps derived from the RFC max_pdu_size option. A zero
value propagates to l2cap_segment_sdu() where pdu_len becomes zero,
causing the while loop to never terminate since len is never
decremented, exhausting all available memory.

Fix the double-init by skipping l2cap_ertm_init() and
l2cap_chan_ready() when the channel is already in BT_CONNECTED state,
while still allowing the reconfiguration parameters to be updated
through l2cap_parse_conf_req(). Also add a pdu_len zero check in
l2cap_segment_sdu() as a safeguard.

## Key facts

- **CVE ID:** CVE-2026-31498
- **Published:** 2026-04-22
- **CVSS severity:** MEDIUM
- **CVSS base score:** 5.5
- **CWE codes:** CWE-835

## Affected products

- `linux:linux_kernel`

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31498

## Citation

> AI Analytics. CVE-2026-31498. Retrieved 2026-07-19 from https://api.ai-analytics.org/cve/CVE-2026-31498. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*