Skip to main content

Linux Kernel EUVDEUVD-2026-27358

| CVE-2026-43062 HIGH
2026-05-05 Linux GHSA-6mf2-xqwv-jhq3
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 15:46 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.1 (HIGH)
Patch available
May 05, 2026 - 17:01 EUVD
CVE Published
May 05, 2026 - 15:17 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()

l2cap_ecred_reconf_rsp() casts the incoming data to struct l2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes with result at offset 0).

This causes two problems:

  • The sizeof(*rsp) length check requires 8 bytes instead of the

correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected with -EPROTO.

  • rsp->result reads from offset 6 instead of offset 0, returning

wrong data when the packet is large enough to pass the check.

Fix by using the correct type. Also pass the already byte-swapped result variable to BT_DBG instead of the raw __le16 field.

AnalysisAI

Type confusion in Linux kernel's Bluetooth L2CAP Enhanced Credit-Based Reconfiguration Response handler allows adjacent network attackers to trigger integrity violations and potential denial of service. The vulnerability affects kernel versions from 5.7 onwards (commit 15f02b910562) and has vendor patches available across stable branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability, with no active exploitation confirmed by CISA KEV at time of analysis.

Technical ContextAI

The vulnerability resides in the Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) implementation, specifically in the Enhanced Credit-Based (ECRED) flow control mechanism. When processing L2CAP_ECRED_RECONF_RSP packets (Enhanced Credit-Based Reconfiguration Response), the function l2cap_ecred_reconf_rsp() incorrectly casts incoming data to struct l2cap_ecred_conn_rsp (8 bytes, connection response structure) instead of struct l2cap_ecred_reconf_rsp (2 bytes, reconfiguration response structure). This type confusion causes two distinct problems: first, the length validation requires 8 bytes instead of 2, causing legitimate 2-byte reconfiguration response packets to be rejected with -EPROTO error; second, when packets are large enough to pass the erroneous 8-byte check, the result field is read from byte offset 6 instead of offset 0, returning incorrect data from the packet buffer. The bug was introduced in commit 15f02b91056253e8cdc592888f431da0731337b8 and affects the Bluetooth stack's ability to correctly handle dynamic channel parameter updates during active connections.

RemediationAI

Apply vendor-supplied kernel updates to fixed versions: upgrade to Linux kernel 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, or 7.0 depending on your stable branch. Patch commits available at https://git.kernel.org/stable/c/15145675690cab2de1056e7ed68e59cbd0452529 (mainline) and branch-specific commits listed in references. For systems unable to immediately patch, implement compensating controls: disable Bluetooth functionality via 'rfkill block bluetooth' or blacklist the btusb/bluetooth kernel modules if Bluetooth is not required (note: this eliminates Bluetooth connectivity entirely). Alternatively, restrict Bluetooth pairing to trusted devices only via bluetoothctl and disable L2CAP ECRED features if configuration options exist in your kernel build, though this may break compatibility with devices requiring Enhanced Credit-Based channels. Network segmentation does not mitigate since attack vector is adjacent radio, not IP network. Monitor Bluetooth connection logs for abnormal L2CAP reconfiguration failures (dmesg | grep l2cap). Reboot required after kernel upgrade to load patched code.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27358 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy