CVE-2026-43062 - Vulnerability Details

- Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()

l2cap_ecred_reconf_rsp() casts the incoming data to struct
l2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with
result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes
with result at offset 0).

This causes two problems:

- The sizeof(*rsp) length check requires 8 bytes instead of the
correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected
with -EPROTO.

- rsp->result reads from offset 6 instead of offset 0, returning
wrong data when the packet is large enough to pass the check.

Fix by using the correct type. Also pass the already byte-swapped
result variable to BT_DBG instead of the raw __le16 field.

Published: 2026-05-05

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel Bluetooth module contains a type confusion bug in the function that processes L2CAP ECRED reconfiguration responses. The code mistakenly interprets the incoming packet as a larger connection‑response structure, causing a size check to reject valid short packets and misread the result field from an incorrect offset. This leads to legitimate frames being dropped or incorrect data being stored, which can disrupt Bluetooth connectivity and potentially allow a malicious actor to induce packet loss or incorrect state handling. The weakness falls under CWE‑754: Use of Object of Incorrect Type; the issue does not provide for arbitrary code execution but can degrade service reliability.

Affected Systems

The vulnerability affects all Linux kernel builds that contain the Linux kernel Bluetooth L2CAP implementation before the applied patch. The Common Platform Enumeration entry identifies the entire Linux kernel family, and there is no finer‑grained version list in the data. Administrators should check that the kernel they run is at or beyond the commit that fixes the bug or verify that the patch is applied manually.

Risk and Exploitability

No CVSS score is provided, and the EPSS score is unavailable, but the vulnerability is known to exist in production kernels. The most likely attack vector is through the Bluetooth interface, where an attacker capable of transmitting crafted L2CAP_RECONF_RSP packets could induce packet rejection or incorrect handling. Attacker sophistication is moderate: a Bluetooth stack is required but no privileged code execution is needed. Because the bug affects only the handling of a specific control packet, the overall exploitation risk is considered moderate; however, the impact on service availability can be significant if an attacker floods the target with malformed frames.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< 21d3ba696918d6373233aac0b9d51fcabdedddc0
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< 3b94e62caa1dc1198d0d55d97bd710da1dee15d7
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< 111f74547eee8cfedfb854284e80f35c8a491186
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< dd3b221e21079ade8263fbb7176f3d55ad75d3b6
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< d90150c72d2e6a8a3079e88755dafcfbe91c746d
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< 5a1ea296f8589ce8f1e3141b2b123b34ad010e19
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< f110b8f58b254bf997cec1bd60701b7798e9bb82
`15f02b91056253e8cdc592888f431da0731337b8`	affected	< 15145675690cab2de1056e7ed68e59cbd0452529

Linux

affected

Version	Status	Constraints
`5.7`	affected	—
`0`	unaffected	< 5.7
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[15f02b91056253e8cdc592888f431da0731337b8,21d3ba696918d6373233aac0b9d51fcabdedddc0)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,3b94e62caa1dc1198d0d55d97bd710da1dee15d7)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,111f74547eee8cfedfb854284e80f35c8a491186)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,dd3b221e21079ade8263fbb7176f3d55ad75d3b6)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,d90150c72d2e6a8a3079e88755dafcfbe91c746d)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,5a1ea296f8589ce8f1e3141b2b123b34ad010e19)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,f110b8f58b254bf997cec1bd60701b7798e9bb82)`	affected	code_commit	—
`[15f02b91056253e8cdc592888f431da0731337b8,15145675690cab2de1056e7ed68e59cbd0452529)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.7`	affected	semver	—
`[0,5.7)`	unaffected	semver	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that contains the l2cap_ecred_reconf_rsp type‑confusion fix, either by installing the latest kernel release or applying the patch from the cited commits.
If an immediate kernel update cannot be performed, block or filter incoming L2CAP_ECRED_RECONF_RSP packets on the Bluetooth interface using host‑based firewall rules or disable the ECRED feature in the Bluetooth daemon to prevent the processing of the affected packet type.
Monitor Bluetooth logs for repeated EPROTO errors or unusual packet drops that may indicate attempts to trigger the bug, and audit connected devices for any evidence of crafted packet transmission.

Generated by OpenCVE AI on May 5, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/111f74547eee8cfedfb854284e80f35c8a491186
https://git.kernel.org/stable/c/15145675690cab2de1056e7ed68e59cbd0452529
https://git.kernel.org/stable/c/21d3ba696918d6373233aac0b9d51fcabdedddc0
https://git.kernel.org/stable/c/3b94e62caa1dc1198d0d55d97bd710da1dee15d7
https://git.kernel.org/stable/c/5a1ea296f8589ce8f1e3141b2b123b34ad010e19
https://git.kernel.org/stable/c/d90150c72d2e6a8a3079e88755dafcfbe91c746d
https://git.kernel.org/stable/c/dd3b221e21079ade8263fbb7176f3d55ad75d3b6
https://git.kernel.org/stable/c/f110b8f58b254bf997cec1bd60701b7798e9bb82

History

Tue, 05 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-754

Tue, 05 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() l2cap_ecred_reconf_rsp() casts the incoming data to struct l2cap_ecred_conn_rsp (the ECRED connection response, 8 bytes with result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes with result at offset 0). This causes two problems: - The sizeof(*rsp) length check requires 8 bytes instead of the correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected with -EPROTO. - rsp->result reads from offset 6 instead of offset 0, returning wrong data when the packet is large enough to pass the check. Fix by using the correct type. Also pass the already byte-swapped result variable to BT_DBG instead of the raw __le16 field.
Title		Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/111f74547eee8cfedfb854284e80f35c8a491186 https://git.kernel.org/stable/c/15145675690cab2de1056e7ed68e59cbd0452529 https://git.kernel.org/stable/c/21d3ba696918d6373233aac0b9d51fcabdedddc0 https://git.kernel.org/stable/c/3b94e62caa1dc1198d0d55d97bd710da1dee15d7 https://git.kernel.org/stable/c/5a1ea296f8589ce8f1e3141b2b123b34ad010e19 https://git.kernel.org/stable/c/d90150c72d2e6a8a3079e88755dafcfbe91c746d https://git.kernel.org/stable/c/dd3b221e21079ade8263fbb7176f3d55ad75d3b6 https://git.kernel.org/stable/c/f110b8f58b254bf997cec1bd60701b7798e9bb82

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-05T15:17:27.830Z

Updated: 2026-05-05T15:17:27.830Z

Reserved: 2026-05-01T14:12:55.981Z

Link: CVE-2026-43062

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-05T16:16:15.340

Modified: 2026-05-05T16:16:15.340

Link: CVE-2026-43062

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T17:45:05Z

Weaknesses

CWE-754

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object