Skip to main content

Linux Kernel EUVDEUVD-2026-27694

| CVE-2026-43134 HIGH
2026-05-06 Linux GHSA-jc53-6rw8-5w3x
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:30 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
8.1 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
HIGH 8.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ

This adds a check for encryption key size upon receiving L2CAP_LE_CONN_REQ which is required by L2CAP/LE/CFC/BV-15-C which expects L2CAP_CR_LE_BAD_KEY_SIZE.

AnalysisAI

Bluetooth L2CAP implementation in Linux kernel fails to validate encryption key size when processing LE Credit Flow Control connection requests, allowing adjacent network attackers to establish L2CAP connections with insufficient cryptographic strength. This affects kernel versions from 3.14 through 6.19.5, with patches released in stable branches 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6. EPSS score of 0.01% suggests minimal exploitation likelihood despite the adjacent network attack vector and no authentication requirement. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Technical ContextAI

The vulnerability exists in the Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) subsystem, specifically in the handler for L2CAP_LE_CONN_REQ (LE Credit Flow Control connection requests). L2CAP is a key protocol in the Bluetooth stack that provides connection-oriented and connectionless data services with protocol multiplexing, segmentation, and reassembly. LE Credit Flow Control (CFC) is a Bluetooth Low Energy mechanism that manages data flow between devices. The flaw stems from a missing validation check for encryption key size during the connection establishment phase. According to Bluetooth Core Specification test case L2CAP/LE/CFC/BV-15-C, implementations must verify encryption key size meets minimum requirements and reject connections with L2CAP_CR_LE_BAD_KEY_SIZE error code when keys are too short. Without this check, the kernel accepts connections encrypted with weak keys, violating Bluetooth Security Mode requirements. The affected code path handles incoming connection requests on Bluetooth LE links, where proper key validation is critical for maintaining confidentiality guarantees. The fix introduced in commits starting from 27e2d4c8d28be1d1b4ecfbffab572d7dbd35254d adds explicit key size verification before accepting LE connection requests.

RemediationAI

Upgrade to patched kernel versions: 5.10.252 or later for 5.10.x branch, 5.15.202 or later for 5.15.x, 6.1.165 or later for 6.1.x, 6.6.128 or later for 6.6.x, 6.12.75 or later for 6.12.x, 6.18.16 or later for 6.18.x, 6.19.6 or later for 6.19.x, or upgrade to mainline kernel 7.0. Patch commits are available at https://git.kernel.org/stable/ including commit 96581749c7c14fbec32c35728520867929600041 for the primary fix. For systems where kernel upgrades cannot be immediately deployed, disable Bluetooth functionality entirely using 'rfkill block bluetooth' or disable the Bluetooth kernel module with 'modprobe -r btusb bluetooth' (note this breaks all Bluetooth functionality, impacting wireless peripherals and file transfers). For systems requiring Bluetooth but unable to patch immediately, disable LE Credit Flow Control by blocking L2CAP LE connections through netfilter Bluetooth rules, though this significantly reduces Bluetooth LE functionality and may break modern Bluetooth devices. Restrict Bluetooth adapter visibility and disable discoverability mode to reduce attack surface, though this does not prevent exploitation against already-paired devices. Compensating controls have substantial operational impact and patching remains the only complete mitigation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27694 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy