In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
l2capconfigreq() processes CONFIGREQ for channels in BTCONNECTED state to support L2CAP reconfiguration (e.g. MTU changes). However, since both CONFINPUTDONE and CONFOUTPUTDONE are already set from the initial configuration, the reconfiguration path falls through to l2capertminit(), which re-initializes txq, srejq, srejlist, and retranslist without freeing the previous allocations and sets chan->sdu to NULL without freeing the existing skb. This leaks all previously allocated ERTM resources.
Additionally, l2capparseconfreq() does not validate the minimum value of remotemps derived from the RFC maxpdusize option. A zero value propagates to l2capsegmentsdu() where pdu_len becomes zero, causing the while loop to never terminate since len is never decremented, exhausting all available memory.
Fix the double-init by skipping l2capertminit() and l2capchanready() when the channel is already in BTCONNECTED state, while still allowing the reconfiguration parameters to be updated through l2capparseconfreq(). Also add a pdulen zero check in l2capsegment_sdu() as a safeguard.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31498.json"
}