CVE-2026-43334 - Vulnerability Details

- Bluetooth: SMP: force responder MITM requirements before building the pairing response

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SMP: force responder MITM requirements before building the pairing response

smp_cmd_pairing_req() currently builds the pairing response from the
initiator auth_req before enforcing the local BT_SECURITY_HIGH
requirement. If the initiator omits SMP_AUTH_MITM, the response can
also omit it even though the local side still requires MITM.

tk_request() then sees an auth value without SMP_AUTH_MITM and may
select JUST_CFM, making method selection inconsistent with the pairing
policy the responder already enforces.

When the local side requires HIGH security, first verify that MITM can
be achieved from the IO capabilities and then force SMP_AUTH_MITM in the
response in both rsp.auth_req and auth. This keeps the responder auth bits
and later method selection aligned.

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the Linux kernel’s Bluetooth SMP pairing logic. When a device that requires high security initiates pairing, the kernel builds a response that omits the required MITM flag if the initiator does not request it. This mismatch allows an attacker to pair without MITM enforcement, effectively weakening the connection’s security and permitting a man‑in‑the‑middle attack. The flaw is a logic error that undermines the intended confidentiality and integrity protections of Bluetooth communications.

Affected Systems

Linux kernel devices. The affected code is part of the Bluetooth stack, and the security premise applies to any kernel that incorporates the unpatched SMP logic. Specific version ranges are not listed, so all current or near‑current kernel releases should be considered potentially vulnerable until the patch is applied.

Risk and Exploitability

Because the issue resides in the pairing protocol, an attacker who can conduct a Bluetooth pairing session with a high‑security device can force the responder to accept a weaker authentication state. The pipe for exploitation is a local Bluetooth connection; physical proximity or range of typical Bluetooth devices is sufficient. No public exploits are reported, and the EPSS score is unavailable, but the condition is straightforward and the impact severe. The vulnerability is not listed in CISA’s KEV catalog, yet it remains a critical security concern for environments that rely on Bluetooth for sensitive communications.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< 425a22c5373d4e1b46492ab869074ebeeade61f3
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< 7ab69426e7ecbd18a222ee2ec87ca612d30197d7
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< 01bb4045d2306c266178f49ce0c3576d237a3040
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< 91649c02c1baaa18cedf7fb425fa1f0f852c8183
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fb
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< fa14e0e19820b1bbdb42185c9c4efa950bcffef9
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< ec17efb1ef91506cfd17a77692eaf4bbacb520ea
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7

Linux

affected

Version	Status	Constraints
`3.3`	affected	—
`0`	unaffected	< 3.3
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,425a22c5373d4e1b46492ab869074ebeeade61f3)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,7ab69426e7ecbd18a222ee2ec87ca612d30197d7)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,01bb4045d2306c266178f49ce0c3576d237a3040)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,91649c02c1baaa18cedf7fb425fa1f0f852c8183)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fb)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,fa14e0e19820b1bbdb42185c9c4efa950bcffef9)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,ec17efb1ef91506cfd17a77692eaf4bbacb520ea)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.3`	affected	semver	—
`[0,3.3)`	unaffected	semver	—
`[5.10.253,5.10.*]`	unaffected	generic	—
`[5.15.203,5.15.*]`	unaffected	generic	—
`[6.1.168,6.1.*]`	unaffected	generic	—
`[6.6.134,6.6.*]`	unaffected	generic	—
`[6.12.81,6.12.*]`	unaffected	generic	—
`[6.18.22,6.18.*]`	unaffected	generic	—
`[6.19.12,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the SMP patch referenced in the commit logs provided
If an immediate kernel upgrade is infeasible, lower the responder’s security requirement for pairing by disabling the BT_SECURITY_HIGH enforcement (e.g., modify the kernel configuration or sysfs setting to use medium or low security policies)
Validate that all paired devices respect the enforced security policy by monitoring pairing logs for discrepancies and enforcing a device‑catalogue that denies repeat pairings with mismatched authentication flags

Generated by OpenCVE AI on May 8, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/01bb4045d2306c266178f49ce0c3576d237a3040
https://git.kernel.org/stable/c/425a22c5373d4e1b46492ab869074ebeeade61f3
https://git.kernel.org/stable/c/7ab69426e7ecbd18a222ee2ec87ca612d30197d7
https://git.kernel.org/stable/c/91649c02c1baaa18cedf7fb425fa1f0f852c8183
https://git.kernel.org/stable/c/c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fb
https://git.kernel.org/stable/c/d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7
https://git.kernel.org/stable/c/ec17efb1ef91506cfd17a77692eaf4bbacb520ea
https://git.kernel.org/stable/c/fa14e0e19820b1bbdb42185c9c4efa950bcffef9

History

Fri, 08 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-287 CWE-296

Fri, 08 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: force responder MITM requirements before building the pairing response smp_cmd_pairing_req() currently builds the pairing response from the initiator auth_req before enforcing the local BT_SECURITY_HIGH requirement. If the initiator omits SMP_AUTH_MITM, the response can also omit it even though the local side still requires MITM. tk_request() then sees an auth value without SMP_AUTH_MITM and may select JUST_CFM, making method selection inconsistent with the pairing policy the responder already enforces. When the local side requires HIGH security, first verify that MITM can be achieved from the IO capabilities and then force SMP_AUTH_MITM in the response in both rsp.auth_req and auth. This keeps the responder auth bits and later method selection aligned.
Title		Bluetooth: SMP: force responder MITM requirements before building the pairing response
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/01bb4045d2306c266178f49ce0c3576d237a3040 https://git.kernel.org/stable/c/425a22c5373d4e1b46492ab869074ebeeade61f3 https://git.kernel.org/stable/c/7ab69426e7ecbd18a222ee2ec87ca612d30197d7 https://git.kernel.org/stable/c/91649c02c1baaa18cedf7fb425fa1f0f852c8183 https://git.kernel.org/stable/c/c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fb https://git.kernel.org/stable/c/d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7 https://git.kernel.org/stable/c/ec17efb1ef91506cfd17a77692eaf4bbacb520ea https://git.kernel.org/stable/c/fa14e0e19820b1bbdb42185c9c4efa950bcffef9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:31:20.923Z

Updated: 2026-05-08T13:31:20.923Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43334

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T14:16:43.130

Modified: 2026-05-08T14:16:43.130

Link: CVE-2026-43334

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T21:45:18Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object