Skip to main content

Linux Kernel Bluetooth CVE-2026-43334

| EUVDEUVD-2026-28618 HIGH
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-3ggx-x2j4-gfqr
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:25 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
HIGH 8.8
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SMP: force responder MITM requirements before building the pairing response

smp_cmd_pairing_req() currently builds the pairing response from the initiator auth_req before enforcing the local BT_SECURITY_HIGH requirement. If the initiator omits SMP_AUTH_MITM, the response can also omit it even though the local side still requires MITM.

tk_request() then sees an auth value without SMP_AUTH_MITM and may select JUST_CFM, making method selection inconsistent with the pairing policy the responder already enforces.

When the local side requires HIGH security, first verify that MITM can be achieved from the IO capabilities and then force SMP_AUTH_MITM in the response in both rsp.auth_req and auth. This keeps the responder auth bits and later method selection aligned.

AnalysisAI

Authentication downgrade in Linux kernel Bluetooth SMP allows adjacent network attackers to bypass MITM protection during pairing. When a Bluetooth responder requires BT_SECURITY_HIGH, the SMP implementation incorrectly builds pairing responses before enforcing local MITM requirements, allowing initiators to force weaker 'Just Confirm' authentication even when policy mandates stronger methods. EPSS score of 0.02% indicates low predicted exploitation probability, and no active exploitation or public POC has been identified. Patches available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Technical ContextAI

The vulnerability resides in the Linux kernel's Bluetooth Security Manager Protocol (SMP) pairing implementation, specifically in the smp_cmd_pairing_req() function within net/bluetooth/smp.c. SMP handles cryptographic pairing between Bluetooth devices using various authentication methods determined by IO capabilities and security requirements. The flaw involves a logic ordering error where the responder builds its pairing response using the initiator's auth_req flags before validating them against the local BT_SECURITY_HIGH policy requirement. When an initiator omits the SMP_AUTH_MITM (Man-In-The-Middle protection) flag, the response mirrors this omission even though local policy requires MITM. Subsequently, tk_request() evaluates the auth value without SMP_AUTH_MITM and selects JUST_CFM (Just Confirm) method instead of PASSKEY_CONFIRM or NUMERIC_COMPARISON, effectively downgrading authentication strength. The vulnerability exists since commit 2b64d153a0cc (introduced in Linux 3.3) and affects the core Bluetooth authentication mechanism across all major kernel branches.

RemediationAI

Upgrade to patched kernel versions: 5.10.253 or later for 5.10.x series, 5.15.203+ for 5.15.x, 6.1.168+ for 6.1.x, 6.6.134+ for 6.6.x, 6.12.81+ for 6.12.x, 6.18.22+ for 6.18.x, 6.19.12+ for 6.19.x, or 7.0+ for mainline. Patch commits available at https://git.kernel.org/stable/c/425a22c5373d4e1b46492ab869074ebeeade61f3 (5.10), https://git.kernel.org/stable/c/fa14e0e19820b1bbdb42185c9c4efa950bcffef9 (5.15), and corresponding links for other branches. For systems unable to upgrade immediately, implement compensating controls: disable Bluetooth entirely if not operationally required (via 'rfkill block bluetooth' or BIOS settings), restrict Bluetooth pairing to trusted devices only through allowlist policies, or disable discoverability mode to prevent unsolicited pairing attempts. In enterprise environments, enforce Bluetooth policy via MDM/configuration management to prevent user-initiated pairing with unknown devices. Note that disabling Bluetooth impacts legitimate peripheral connectivity (keyboards, headsets, medical sensors). Workarounds do not address the underlying kernel flaw and should be considered temporary until patching is completed. Prioritize patching for systems in physically accessible public spaces or those handling sensitive data via Bluetooth connections.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43334 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy