CVE-2026-43334 - Vulnerability Details

- Bluetooth: SMP: force responder MITM requirements before building the pairing response

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SMP: force responder MITM requirements before building the pairing response

smp_cmd_pairing_req() currently builds the pairing response from the
initiator auth_req before enforcing the local BT_SECURITY_HIGH
requirement. If the initiator omits SMP_AUTH_MITM, the response can
also omit it even though the local side still requires MITM.

tk_request() then sees an auth value without SMP_AUTH_MITM and may
select JUST_CFM, making method selection inconsistent with the pairing
policy the responder already enforces.

When the local side requires HIGH security, first verify that MITM can
be achieved from the IO capabilities and then force SMP_AUTH_MITM in the
response in both rsp.auth_req and auth. This keeps the responder auth bits
and later method selection aligned.

Published: 2026-05-08

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability results from a logic error in the Linux kernel’s Bluetooth Security Manager Pairing (SMP) controller. The kernel constructs a pairing response using the initiator’s auth_req before checking that the local device’s high‑security policy mandates man‑in‑the‑middle (MITM) protection. If the initiator omits the MITM flag, the responder can reply without enforcing it, causing a weaker authentication state than the policy requires. This creates an opportunity for an attacker to hijack the pairing process, diminishing Bluetooth communication confidentiality and integrity.

Affected Systems

The defect resides in the generic Linux kernel Bluetooth subsystem; all kernels containing the unpatched SMP logic are potentially vulnerable. No specific version ranges are listed, so any current or near‑current Linux kernel release should be considered at risk until the MITM enforcement patch is applied.

Risk and Exploitability

Based on the description, the likely attack vector is a local Bluetooth pairing session. An adversary would need to be within typical Bluetooth range of the target device and initiate a pairing with a high‑security requirement. The EPSS score is below 1% and no public exploits are known, so the practical risk is moderate, but the CVSS base score of 8.8 signals a high severity. The vulnerability is not listed in the CISA KEV catalog, yet it remains a concern for environments that rely on high‑security Bluetooth connections.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< 425a22c5373d4e1b46492ab869074ebeeade61f3
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< 7ab69426e7ecbd18a222ee2ec87ca612d30197d7
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< 01bb4045d2306c266178f49ce0c3576d237a3040
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< 91649c02c1baaa18cedf7fb425fa1f0f852c8183
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fb
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< fa14e0e19820b1bbdb42185c9c4efa950bcffef9
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< ec17efb1ef91506cfd17a77692eaf4bbacb520ea
`2b64d153a0cc9d2b60e47be013cde8490f16e0a5`	affected	< d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7

Linux

affected

Version	Status	Constraints
`3.3`	affected	—
`0`	unaffected	< 3.3
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,425a22c5373d4e1b46492ab869074ebeeade61f3)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,7ab69426e7ecbd18a222ee2ec87ca612d30197d7)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,01bb4045d2306c266178f49ce0c3576d237a3040)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,91649c02c1baaa18cedf7fb425fa1f0f852c8183)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fb)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,fa14e0e19820b1bbdb42185c9c4efa950bcffef9)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,ec17efb1ef91506cfd17a77692eaf4bbacb520ea)`	affected	code_commit	—
`[2b64d153a0cc9d2b60e47be013cde8490f16e0a5,d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.3`	affected	semver	—
`[0,3.3)`	unaffected	semver	—
`[5.10.253,5.10.*]`	unaffected	generic	—
`[5.15.203,5.15.*]`	unaffected	generic	—
`[6.1.168,6.1.*]`	unaffected	generic	—
`[6.6.134,6.6.*]`	unaffected	generic	—
`[6.12.81,6.12.*]`	unaffected	generic	—
`[6.18.22,6.18.*]`	unaffected	generic	—
`[6.19.12,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel release that includes the SMP patch referenced in the provided commit logs.
If an immediate kernel upgrade is infeasible, reconfigure the Bluetooth stack to disable the BT_SECURITY_HIGH enforcement or set it to a medium or low security level, ensuring that MITM protection can be negotiated.
Continuously monitor pairing logs for authentication bits mismatches and enforce a device whitelist that rejects repeated pairings with inconsistent MITM flags.

Generated by OpenCVE AI on May 16, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2026/CVE-2026-43334.mbox
https://git.kernel.org/stable/c/01bb4045d2306c266178f49ce0c3576d237a3040
https://git.kernel.org/stable/c/425a22c5373d4e1b46492ab869074ebeeade61f3
https://git.kernel.org/stable/c/7ab69426e7ecbd18a222ee2ec87ca612d30197d7
https://git.kernel.org/stable/c/91649c02c1baaa18cedf7fb425fa1f0f852c8183
https://git.kernel.org/stable/c/c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fb
https://git.kernel.org/stable/c/d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7
https://git.kernel.org/stable/c/ec17efb1ef91506cfd17a77692eaf4bbacb520ea
https://git.kernel.org/stable/c/fa14e0e19820b1bbdb42185c9c4efa950bcffef9
https://nvd.nist.gov/vuln/detail/CVE-2026-43334
https://www.cve.org/CVERecord?id=CVE-2026-43334

History

Sat, 16 May 2026 02:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-265 CWE-296

Sat, 16 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-265 CWE-296 CWE-322
References		https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2026/CVE-2026-43334.mbox https://nvd.nist.gov/vuln/detail/CVE-2026-43334 https://www.cve.org/CVERecord?id=CVE-2026-43334
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 15 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-20 CWE-285

Fri, 15 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::

Mon, 11 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-285

Mon, 11 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-287 CWE-296

Mon, 11 May 2026 07:45:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 08 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-287 CWE-296

Fri, 08 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: force responder MITM requirements before building the pairing response smp_cmd_pairing_req() currently builds the pairing response from the initiator auth_req before enforcing the local BT_SECURITY_HIGH requirement. If the initiator omits SMP_AUTH_MITM, the response can also omit it even though the local side still requires MITM. tk_request() then sees an auth value without SMP_AUTH_MITM and may select JUST_CFM, making method selection inconsistent with the pairing policy the responder already enforces. When the local side requires HIGH security, first verify that MITM can be achieved from the IO capabilities and then force SMP_AUTH_MITM in the response in both rsp.auth_req and auth. This keeps the responder auth bits and later method selection aligned.
Title		Bluetooth: SMP: force responder MITM requirements before building the pairing response
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/01bb4045d2306c266178f49ce0c3576d237a3040 https://git.kernel.org/stable/c/425a22c5373d4e1b46492ab869074ebeeade61f3 https://git.kernel.org/stable/c/7ab69426e7ecbd18a222ee2ec87ca612d30197d7 https://git.kernel.org/stable/c/91649c02c1baaa18cedf7fb425fa1f0f852c8183 https://git.kernel.org/stable/c/c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fb https://git.kernel.org/stable/c/d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7 https://git.kernel.org/stable/c/ec17efb1ef91506cfd17a77692eaf4bbacb520ea https://git.kernel.org/stable/c/fa14e0e19820b1bbdb42185c9c4efa950bcffef9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:31:20.923Z

Updated: 2026-05-11T22:22:33.645Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43334

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-08T14:16:43.130

Modified: 2026-05-15T20:01:41.630

Link: CVE-2026-43334

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43334 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-16T03:30:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object