CVE-2026-31773 - Vulnerability Details

- Bluetooth: SMP: derive legacy responder STK authentication from MITM state

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SMP: derive legacy responder STK authentication from MITM state

The legacy responder path in smp_random() currently labels the stored
STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.
That reflects what the local service requested, not what the pairing
flow actually achieved.

For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear
and the resulting STK should remain unauthenticated even if the local
side requested HIGH security. Use the established MITM state when
storing the responder STK so the key metadata matches the pairing result.

This also keeps the legacy path aligned with the Secure Connections code,
which already treats JUST_WORKS/JUST_CFM as unauthenticated.

Published: 2026-05-01

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exposes that the legacy responder path in the Bluetooth SMP stack incorrectly labels a Session Temporary Key as authenticated whenever the connection requests high security, regardless of whether Man‑in‑the‑Middle authentication was actually performed. This mislabeling can allow an attacker who performs a Just Works or Just Confirm pairing to be treated as if vigorous authentication had occurred, potentially granting unauthorized access to privileged Bluetooth operations or data. The weakness reflects improper handling of authentication state and could be exploited to elevate a connection’s security level without genuine proof of MITM protection.

Affected Systems

Vendors: Linux. Product: Linux kernel. Exact affected kernel releases are not listed in the entry, so administrators should refer to the latest kernel release notes for any mentions of the SMP/STK authentication fix.

Risk and Exploitability

This flaw mislabels a Session Temporary Key as authenticated even when no MITM has been performed. The impact is that an attacker who carries out a Just Works pairing could be treated as if a high security level had been achieved. The CVSS score is not specified and EPSS is unavailable, and the vulnerability is not in KEV, so no public severity metrics are provided. Because the flaw involves authentication state misclassification rather than a direct control‑flow escape, exploitability depends on the ability to carry out a pairing transaction. No evidence of known exploits is reported in the references, so it is unclear how often this can be abused. It is inferred from the limited data that the risk may not be severe, but the potential for privilege escalation via incorrect authentication suggests it remains a concern.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`fff3490f47810e2d34b91fb9e31103e923b11c2f`	affected	< 9a38659a3d06080715691bd3139f9c4b61f688e3
`fff3490f47810e2d34b91fb9e31103e923b11c2f`	affected	< 667f44f1392df6482483756458c48670e579e9ff
`fff3490f47810e2d34b91fb9e31103e923b11c2f`	affected	< 929db734d12db41ca5f95424db4612397f1bd4a7
`fff3490f47810e2d34b91fb9e31103e923b11c2f`	affected	< b1c6a8e554a39b222c0879a288ea98e338fc4d77
`fff3490f47810e2d34b91fb9e31103e923b11c2f`	affected	< 0afc846bd80073ffcd2b8040f2b2fafaea3d9f72
`fff3490f47810e2d34b91fb9e31103e923b11c2f`	affected	< 061ee71ac6b03c9f8432fe49538c3682bfcf4cf3
`fff3490f47810e2d34b91fb9e31103e923b11c2f`	affected	< 9a6d0db176f082685e0b6149700c0baf3ce2aa8b
`fff3490f47810e2d34b91fb9e31103e923b11c2f`	affected	< 20756fec2f0108cb88e815941f1ffff88dc286fe
`14ec593d6bb050cf40a4ade2f9ac9ca050e0412c`	affected	—

Linux

affected

Version	Status	Constraints
`3.16`	affected	—
`0`	unaffected	< 3.16
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[fff3490f47810e2d34b91fb9e31103e923b11c2f,9a38659a3d06080715691bd3139f9c4b61f688e3)`	affected	code_commit	—
`[fff3490f47810e2d34b91fb9e31103e923b11c2f,667f44f1392df6482483756458c48670e579e9ff)`	affected	code_commit	—
`[fff3490f47810e2d34b91fb9e31103e923b11c2f,929db734d12db41ca5f95424db4612397f1bd4a7)`	affected	code_commit	—
`[fff3490f47810e2d34b91fb9e31103e923b11c2f,b1c6a8e554a39b222c0879a288ea98e338fc4d77)`	affected	code_commit	—
`[fff3490f47810e2d34b91fb9e31103e923b11c2f,0afc846bd80073ffcd2b8040f2b2fafaea3d9f72)`	affected	code_commit	—
`[fff3490f47810e2d34b91fb9e31103e923b11c2f,061ee71ac6b03c9f8432fe49538c3682bfcf4cf3)`	affected	code_commit	—
`[fff3490f47810e2d34b91fb9e31103e923b11c2f,9a6d0db176f082685e0b6149700c0baf3ce2aa8b)`	affected	code_commit	—
`[fff3490f47810e2d34b91fb9e31103e923b11c2f,20756fec2f0108cb88e815941f1ffff88dc286fe)`	affected	code_commit	—
`14ec593d6bb050cf40a4ade2f9ac9ca050e0412c`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.16`	affected	generic	—
`[0,3.16)`	unaffected	generic	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.134,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that incorporates the SMP/STK authentication fix, ensuring the pairing flow correctly records the MITM state.
Configure the Bluetooth stack to disable legacy SMP pairing and enforce Secure Connections only, preventing the deprecated pairing method from being used.
Continuously audit and monitor Bluetooth sessions for unexpected high‑security levels without corresponding MITM authentication, and alert on such anomalies.

Generated by OpenCVE AI on May 2, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/061ee71ac6b03c9f8432fe49538c3682bfcf4cf3
https://git.kernel.org/stable/c/0afc846bd80073ffcd2b8040f2b2fafaea3d9f72
https://git.kernel.org/stable/c/20756fec2f0108cb88e815941f1ffff88dc286fe
https://git.kernel.org/stable/c/667f44f1392df6482483756458c48670e579e9ff
https://git.kernel.org/stable/c/929db734d12db41ca5f95424db4612397f1bd4a7
https://git.kernel.org/stable/c/9a38659a3d06080715691bd3139f9c4b61f688e3
https://git.kernel.org/stable/c/9a6d0db176f082685e0b6149700c0baf3ce2aa8b
https://git.kernel.org/stable/c/b1c6a8e554a39b222c0879a288ea98e338fc4d77

History

Sat, 02 May 2026 07:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-287

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: derive legacy responder STK authentication from MITM state The legacy responder path in smp_random() currently labels the stored STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH. That reflects what the local service requested, not what the pairing flow actually achieved. For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear and the resulting STK should remain unauthenticated even if the local side requested HIGH security. Use the established MITM state when storing the responder STK so the key metadata matches the pairing result. This also keeps the legacy path aligned with the Secure Connections code, which already treats JUST_WORKS/JUST_CFM as unauthenticated.
Title		Bluetooth: SMP: derive legacy responder STK authentication from MITM state
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/061ee71ac6b03c9f8432fe49538c3682bfcf4cf3 https://git.kernel.org/stable/c/0afc846bd80073ffcd2b8040f2b2fafaea3d9f72 https://git.kernel.org/stable/c/20756fec2f0108cb88e815941f1ffff88dc286fe https://git.kernel.org/stable/c/667f44f1392df6482483756458c48670e579e9ff https://git.kernel.org/stable/c/929db734d12db41ca5f95424db4612397f1bd4a7 https://git.kernel.org/stable/c/9a38659a3d06080715691bd3139f9c4b61f688e3 https://git.kernel.org/stable/c/9a6d0db176f082685e0b6149700c0baf3ce2aa8b https://git.kernel.org/stable/c/b1c6a8e554a39b222c0879a288ea98e338fc4d77

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:15:01.277Z

Updated: 2026-05-01T14:15:01.277Z

Reserved: 2026-03-09T15:48:24.140Z

Link: CVE-2026-31773

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:40.587

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31773

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T07:30:36Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object