Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: validate LTK enc_size on load

Load Long Term Keys stores the user-provided enc_size and later uses
it to size fixed-size stack operations when replying to LE LTK
requests. An enc_size larger than the 16-byte key buffer can therefore
overflow the reply stack buffer.

Reject oversized enc_size values while validating the management LTK
record so invalid keys never reach the stored key state.
Published: 2026-05-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel Bluetooth management code does not validate the enc_size field of a Long Term Key (LTK) when loading key data. The value is stored and later used to size a fixed‑size stack buffer for LE LTK replies. If an attacker supplies an enc_size larger than the 16‑byte buffer, the kernel later copies the payload into that oversized buffer, causing a stack overflow that can lead to arbitrary code execution with kernel privileges. This is a classic stack‑based buffer overflow that trusts user input without bounds checking.

Affected Systems

All Linux kernel installations are vulnerable until the patch that validates the LTK enc_size is applied. The vulnerability is reported for the generic Linux kernel (Linux:Linux) with no specific kernel release identified, so any current kernel should be treated as potentially vulnerable.

Risk and Exploitability

The CVSS score is 7.8, indicating high severity. The EPSS score of less than 1% shows a very low but nonzero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a Bluetooth-enabled device that can send a crafted LTK record; an attacker can trigger the overflow over an active Bluetooth connection and gain kernel privileges.

Generated by OpenCVE AI on May 8, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the upstream patch that validates the LTK enc_size field in the Bluetooth management code or upgrade to a kernel version that includes the fix.
  • If Bluetooth functionality is not required, disable the Bluetooth subsystem or stop the Bluetooth management services to eliminate the attack surface.
  • If a patch is unavailable, monitor Bluetooth traffic for anomalous LTK requests with oversized enc_size values and use intrusion detection rules to alert on such events.

Generated by OpenCVE AI on May 8, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-121
CWE-787

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 01 May 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-121
CWE-787

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate LTK enc_size on load Load Long Term Keys stores the user-provided enc_size and later uses it to size fixed-size stack operations when replying to LE LTK requests. An enc_size larger than the 16-byte key buffer can therefore overflow the reply stack buffer. Reject oversized enc_size values while validating the management LTK record so invalid keys never reach the stored key state.
Title Bluetooth: MGMT: validate LTK enc_size on load
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:09.294Z

Reserved: 2026-05-01T14:12:55.975Z

Link: CVE-2026-43020

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:46.233

Modified: 2026-05-08T14:41:09.707

Link: CVE-2026-43020

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43020 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T16:45:13Z

Weaknesses