Skip to main content

Linux Kernel EUVDEUVD-2026-24872

| CVE-2026-31498 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 14:53 vuln.today
CVSS changed
Apr 28, 2026 - 14:52 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 14:41 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24872
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop

l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED state to support L2CAP reconfiguration (e.g. MTU changes). However, since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from the initial configuration, the reconfiguration path falls through to l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and retrans_list without freeing the previous allocations and sets chan->sdu to NULL without freeing the existing skb. This leaks all previously allocated ERTM resources.

Additionally, l2cap_parse_conf_req() does not validate the minimum value of remote_mps derived from the RFC max_pdu_size option. A zero value propagates to l2cap_segment_sdu() where pdu_len becomes zero, causing the while loop to never terminate since len is never decremented, exhausting all available memory.

Fix the double-init by skipping l2cap_ertm_init() and l2cap_chan_ready() when the channel is already in BT_CONNECTED state, while still allowing the reconfiguration parameters to be updated through l2cap_parse_conf_req(). Also add a pdu_len zero check in l2cap_segment_sdu() as a safeguard.

AnalysisAI

Denial of service via infinite loop in Bluetooth L2CAP ERTM reconfiguration allows local authenticated attackers to exhaust system memory. The vulnerability arises from two distinct flaws: improper handling of L2CAP channel reconfiguration that leaks ERTM resources and fails to validate minimum PDU size, causing an infinite loop in l2cap_segment_sdu() when remote_mps is set to zero. EPSS score of 0.02% indicates limited exploitation likelihood despite the high CVSS score, reflecting the requirement for local access and authenticated Bluetooth channel state.

Technical ContextAI

The Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) layer implements ERTM (Enhanced Retransmission Mode) for reliable frame delivery. When l2cap_config_req() processes reconfiguration requests on channels already in BT_CONNECTED state, the code path incorrectly calls l2cap_ertm_init() without first freeing previously allocated queue structures (tx_q, srej_q, retrans_list) and SDU buffers, causing resource leaks. Separately, l2cap_parse_conf_req() fails to enforce a minimum value check on remote_mps derived from RFC max_pdu_size configuration options. When remote_mps reaches zero, l2cap_segment_sdu() enters an infinite loop because pdu_len becomes zero and the loop condition 'while (len)' is never satisfied since len is never decremented, leading to unbounded memory allocation and system hang. The root cause is classified under CWE-835 (Loop with Unreachable Exit Condition).

RemediationAI

Apply the vendor-released kernel patch by upgrading to Linux 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0, or later stable versions, and for LTS branches use 5.10.253 or 5.15.203. The fix involves two key changes: skipping l2cap_ertm_init() and l2cap_chan_ready() when reconfiguring channels already in BT_CONNECTED state while preserving parameter updates, and adding explicit validation in l2cap_segment_sdu() to reject zero pdu_len values. If immediate patching is not feasible, disable Bluetooth ERTM mode entirely via kernel module parameter (verify with your distribution's Bluetooth driver documentation), though this eliminates reliable frame delivery for Bluetooth connections and may break certain Bluetooth profiles. Alternatively, restrict Bluetooth configuration permissions to trusted administrators only and disable unused Bluetooth profiles that rely on ERTM at the userspace bluetooth daemon level. Monitor for kernel memory pressure and unexpected Bluetooth connection drops as indicators of exploitation attempts. References to upstream commits are available at https://nvd.nist.gov/vuln/detail/CVE-2026-31498.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24872 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy