Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SMP: derive legacy responder STK authentication from MITM state

The legacy responder path in smp_random() currently labels the stored
STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.
That reflects what the local service requested, not what the pairing
flow actually achieved.

For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear
and the resulting STK should remain unauthenticated even if the local
side requested HIGH security. Use the established MITM state when
storing the responder STK so the key metadata matches the pairing result.

This also keeps the legacy path aligned with the Secure Connections code,
which already treats JUST_WORKS/JUST_CFM as unauthenticated.
Published: 2026-05-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is in the Linux kernel's Bluetooth Security Manager Protocol (SMP). In legacy responder pairing, the code incorrectly flags the stored Session Temporary Key (STK) as authenticated whenever the local requester asks for high security, even when no Man‑in‑the‑Middle (MITM) protection was actually performed. This means that a Just Works or Just Confirm pairing can be treated as if vigorous authentication had occurred, potentially letting a device that only supports legacy pairing be granted higher privileges or access to sensitive Bluetooth services. The weakness stems from improper handling of authentication state, documented as CWE‑372.

Affected Systems

Vendors: Linux. Product: Linux kernel. The vulnerability affects kernel versions that lack the SMP/STK authentication fix referenced in the commit history. The CPE list includes kernel 3.16 and 7.0 release candidates (rc1‑rc6). Administrators should consult the kernel changelog or vendor notes for the specific patch commit that resolves the issue, and ensure their systems are running a kernel version that incorporates the fix.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity impact. The EPSS score of less than 1% suggests a low but non‑zero exploitation probability. The flaw is not listed in CISA's KEV catalog, and no public exploits are cited in the references. Exploitation requires the attacker to perform a Bluetooth pairing transaction, typically within range of the target device. If an attacker can initiate a Just Works or Just Confirm pairing, the system may consider the connection to have high security when it does not, potentially allowing unauthorized Bluetooth actions. The risk is therefore significant for devices that rely on Bluetooth security levels for access control, but the attack is limited to the Bluetooth pairing context and does not provide arbitrary code execution.

Generated by OpenCVE AI on May 11, 2026 at 23:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel update that includes the SMP/STK authentication fix, referencing the commit that implements correct MITM state handling.
  • Disable legacy SMP pairing in the Bluetooth stack configuration and enforce Secure Connections only, preventing the deprecated pairing method from being used.
  • Monitor and audit Bluetooth sessions for instances of high‑security levels that lack corresponding MITM authentication, and raise alerts for such anomalies.

Generated by OpenCVE AI on May 11, 2026 at 23:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:3.16:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-287

Sat, 02 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-372
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 02 May 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-287

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: derive legacy responder STK authentication from MITM state The legacy responder path in smp_random() currently labels the stored STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH. That reflects what the local service requested, not what the pairing flow actually achieved. For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear and the resulting STK should remain unauthenticated even if the local side requested HIGH security. Use the established MITM state when storing the responder STK so the key metadata matches the pairing result. This also keeps the legacy path aligned with the Secure Connections code, which already treats JUST_WORKS/JUST_CFM as unauthenticated.
Title Bluetooth: SMP: derive legacy responder STK authentication from MITM state
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:05:55.169Z

Reserved: 2026-03-09T15:48:24.140Z

Link: CVE-2026-31773

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:40.587

Modified: 2026-05-11T20:38:06.777

Link: CVE-2026-31773

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31773 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:30:02Z

Weaknesses