Skip to main content

Linux Kernel EUVDEUVD-2026-26619

| CVE-2026-43020 HIGH
Out-of-bounds Write (CWE-787)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 08, 2026 - 14:52 vuln.today
CVSS changed
May 08, 2026 - 14:52 NVD
7.8 (HIGH)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26619
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: validate LTK enc_size on load

Load Long Term Keys stores the user-provided enc_size and later uses it to size fixed-size stack operations when replying to LE LTK requests. An enc_size larger than the 16-byte key buffer can therefore overflow the reply stack buffer.

Reject oversized enc_size values while validating the management LTK record so invalid keys never reach the stored key state.

AnalysisAI

Stack buffer overflow in Linux kernel Bluetooth MGMT subsystem allows local authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability stems from insufficient validation of the encryption key size (enc_size) parameter when loading Long Term Keys (LTKs) via the Bluetooth management interface. When processing LE LTK requests, the kernel uses the attacker-controlled enc_size value to perform stack operations against a fixed 16-byte buffer, enabling stack corruption through oversized values. Vendor-released patches are available across all active kernel branches. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploit has been identified at time of analysis, though the attack complexity is low once local authenticated access is obtained.

Technical ContextAI

This vulnerability affects the Linux kernel's Bluetooth Management (MGMT) interface, specifically the Long Term Key (LTK) loading mechanism used in Bluetooth Low Energy (BLE) pairing. LTKs are cryptographic keys stored to enable reconnection without re-pairing. The MGMT interface allows userspace processes with appropriate privileges to load these keys into the kernel. The vulnerability is a classic stack-based buffer overflow (CWE-787) where the kernel fails to validate the enc_size field in user-supplied LTK records before using it to size stack operations. When the kernel processes subsequent LE LTK requests, it copies data based on the attacker-controlled enc_size into a fixed 16-byte stack buffer, allowing values exceeding 16 bytes to overflow into adjacent stack memory. The affected code path exists in the Bluetooth subsystem's management command handlers, present since commit 346af67b8d11 (Linux 3.4 era, circa 2012). CPE data confirms broad impact across the Linux kernel product line (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), with patches backported to all supported stable branches including 5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0.

RemediationAI

Immediately update to patched kernel versions: 5.10.253 or later for the 5.10.x branch, 5.15.203+ for 5.15.x, 6.1.168+ for 6.1.x, 6.6.134+ for 6.6.x, 6.12.81+ for 6.12.x, 6.18.22+ for 6.18.x, 6.19.12+ for 6.19.x, or mainline 7.0+. Upstream patches are available at https://git.kernel.org/stable/c/f71695e81f4cb428f3c7e2138eae88199005b52c (mainline) with stable backports linked in the CVE references. Distribution-specific updates should be applied via package managers (apt, yum, zypper) as vendors release patched kernel packages. As a temporary mitigation if patching is delayed, restrict access to the Bluetooth MGMT interface by removing CAP_NET_ADMIN capability from untrusted local users or disabling the btmgmt/bluetoothctl management tools for non-administrator accounts. Note that this mitigation prevents legitimate Bluetooth management operations and may break user-facing Bluetooth functionality. Alternatively, disable Bluetooth support entirely (rmmod btusb bluetooth, or boot with bluetooth.disable_elog=1 kernel parameter) if Bluetooth connectivity is not operationally required, though this represents significant functionality loss. Organizations should prioritize patching over mitigations given the availability of vendor fixes across all active kernel branches.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26619 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy