CVE-2026-43062 - Vulnerability Details

- Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()

l2cap_ecred_reconf_rsp() casts the incoming data to struct
l2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with
result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes
with result at offset 0).

This causes two problems:

- The sizeof(*rsp) length check requires 8 bytes instead of the
correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected
with -EPROTO.

- rsp->result reads from offset 6 instead of offset 0, returning
wrong data when the packet is large enough to pass the check.

Fix by using the correct type. Also pass the already byte-swapped
result variable to BT_DBG instead of the raw __le16 field.

Published: 2026-05-05

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel Bluetooth module contains a type confusion bug in the function that processes L2CAP ECRED reconfiguration responses. The code mistakenly interprets the incoming packet as a larger connection-response structure, causing a size check to reject valid short packets and misread the result field from an incorrect offset. This leads to legitimate packets being dropped or incorrect data being stored, which can disrupt Bluetooth connectivity and may allow an attacker to induce packet loss or incorrect state handling. The weakness falls under CWE-843: Incorrect Type Conversion and does not provide for arbitrary code execution but can degrade service reliability.

Affected Systems

The vulnerability affects all Linux kernel builds that include the Bluetooth L2CAP implementation before the fix committed in 2026. The Common Platform Enumeration entries show that all kernel versions, including Linux kernel 7.0 RC1 through RC4, are potentially affected until the patch is applied. Administrators should verify that the running kernel contains the commit that corrects the type‑confusion issue or that the patch is applied manually.

Risk and Exploitability

The CVSS score of 7.1 indicates medium‑high severity. The EPSS score of <1% shows a low exploitation probability. The attack vector is through the Bluetooth interface, where an entity can transmit crafted L2CAP_ECRED_RECONF_RSP packets, causing legitimate packets to be rejected or incorrect data to be read and leading to denial of service. Exploitation requires no privileged code execution but does require the ability to send malformed packets, so the risk is moderate with potential impact on service availability. The bug is not listed in the CISA KEV catalogue, indicating no known active exploits.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< 21d3ba696918d6373233aac0b9d51fcabdedddc0
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< 3b94e62caa1dc1198d0d55d97bd710da1dee15d7
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< 111f74547eee8cfedfb854284e80f35c8a491186
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< dd3b221e21079ade8263fbb7176f3d55ad75d3b6
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< d90150c72d2e6a8a3079e88755dafcfbe91c746d
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< 5a1ea296f8589ce8f1e3141b2b123b34ad010e19
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< f110b8f58b254bf997cec1bd60701b7798e9bb82
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< 15145675690cab2de1056e7ed68e59cbd0452529

Linux

affected

Version	Status	Constraints
`5.7`	affected	—
`0`	unaffected	< 5.7
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[15f02b91056253e8cdc592888f431da0731337b8,21d3ba696918d6373233aac0b9d51fcabdedddc0)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,3b94e62caa1dc1198d0d55d97bd710da1dee15d7)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,111f74547eee8cfedfb854284e80f35c8a491186)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,dd3b221e21079ade8263fbb7176f3d55ad75d3b6)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,d90150c72d2e6a8a3079e88755dafcfbe91c746d)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,5a1ea296f8589ce8f1e3141b2b123b34ad010e19)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,f110b8f58b254bf997cec1bd60701b7798e9bb82)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,15145675690cab2de1056e7ed68e59cbd0452529)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.7`	affected	semver	—
`[0,5.7)`	unaffected	semver	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that contains the l2cap_ecred_reconf_rsp type‑confusion fix, either by installing the latest kernel release or applying the patch from the cited commits.
If an immediate kernel update cannot be performed, block or filter incoming L2CAP_ECRED_RECONF_RSP packets on the Bluetooth interface using host‑based firewall rules or disable the ECRED feature in the Bluetooth daemon to prevent the processing of the affected packet type.
Monitor Bluetooth logs for repeated EPROTO errors or unusual packet drops that may indicate attempts to trigger the bug, and audit connected devices for any evidence of crafted packet transmission.

Generated by OpenCVE AI on May 29, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/111f74547eee8cfedfb854284e80f35c8a491186
https://git.kernel.org/stable/c/15145675690cab2de1056e7ed68e59cbd0452529
https://git.kernel.org/stable/c/21d3ba696918d6373233aac0b9d51fcabdedddc0
https://git.kernel.org/stable/c/3b94e62caa1dc1198d0d55d97bd710da1dee15d7
https://git.kernel.org/stable/c/5a1ea296f8589ce8f1e3141b2b123b34ad010e19
https://git.kernel.org/stable/c/d90150c72d2e6a8a3079e88755dafcfbe91c746d
https://git.kernel.org/stable/c/dd3b221e21079ade8263fbb7176f3d55ad75d3b6
https://git.kernel.org/stable/c/f110b8f58b254bf997cec1bd60701b7798e9bb82
https://lore.kernel.org/linux-cve-announce/2026050538-CVE-2026-43062-053e@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43062
https://www.cve.org/CVERecord?id=CVE-2026-43062

History

Fri, 29 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::

Fri, 08 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}`

Thu, 07 May 2026 02:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-754

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-843
References		https://lore.kernel.org/linux-cve-announce/2026050538-CVE-2026-43062-053e@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43062 https://www.cve.org/CVERecord?id=CVE-2026-43062
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Tue, 05 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-754

Tue, 05 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() l2cap_ecred_reconf_rsp() casts the incoming data to struct l2cap_ecred_conn_rsp (the ECRED connection response, 8 bytes with result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes with result at offset 0). This causes two problems: - The sizeof(*rsp) length check requires 8 bytes instead of the correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected with -EPROTO. - rsp->result reads from offset 6 instead of offset 0, returning wrong data when the packet is large enough to pass the check. Fix by using the correct type. Also pass the already byte-swapped result variable to BT_DBG instead of the raw __le16 field.
Title		Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/111f74547eee8cfedfb854284e80f35c8a491186 https://git.kernel.org/stable/c/15145675690cab2de1056e7ed68e59cbd0452529 https://git.kernel.org/stable/c/21d3ba696918d6373233aac0b9d51fcabdedddc0 https://git.kernel.org/stable/c/3b94e62caa1dc1198d0d55d97bd710da1dee15d7 https://git.kernel.org/stable/c/5a1ea296f8589ce8f1e3141b2b123b34ad010e19 https://git.kernel.org/stable/c/d90150c72d2e6a8a3079e88755dafcfbe91c746d https://git.kernel.org/stable/c/dd3b221e21079ade8263fbb7176f3d55ad75d3b6 https://git.kernel.org/stable/c/f110b8f58b254bf997cec1bd60701b7798e9bb82

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-05T15:17:27.830Z

Updated: 2026-05-11T22:16:58.662Z

Reserved: 2026-05-01T14:12:55.981Z

Link: CVE-2026-43062

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-05T16:16:15.340

Modified: 2026-05-29T18:23:08.033

Link: CVE-2026-43062

Redhat

Severity : Moderate

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-43062 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T20:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object