CVE-2026-31498

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the Bluetooth L2CAP component. The l2cap config req() function processes CONFIG REQ for channels in BT CONNECTED state to support reconfiguration, such as MTU changes. Because CONF INPUT DONE and CONF OUTPUT DONE are already set from initial configuration, the process triggers l2cap ertm init(), which re-initializes tx q, srej q, srej list, and retrans list without freeing previous allocations and sets chan->sdu to NULL without freeing the existing skb, leading to a leak of ERTM resources. Additionally, l2cap parse conf req() fails to validate the minimum value of remote mps derived from the RFC max pdu size option. A zero value can propagate to l2cap segment sdu(), causing pdu len to become zero, which results in an infinite while loop that exhausts available memory.

Recommendations Update the Linux kernel to a version where the l2cap config req() function skips l2cap ertm init() and l2cap chan ready() when the channel is in BT CONNECTED state, and a zero check for pdu len is implemented in l2cap segment sdu().