CVE-2026-43020
Analyzed Analyzed - Analysis Complete
Bluetooth: MGMT LTK Load Validation Flaw in Linux Kernel

Publication date: 2026-05-01

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate LTK enc_size on load Load Long Term Keys stores the user-provided enc_size and later uses it to size fixed-size stack operations when replying to LE LTK requests. An enc_size larger than the 16-byte key buffer can therefore overflow the reply stack buffer. Reject oversized enc_size values while validating the management LTK record so invalid keys never reach the stored key state.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-43020
EUVD
EUVD-2026-26619
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 3.4 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth management component related to handling Long Term Keys (LTK). Specifically, when loading LTKs, the system accepts a user-provided encryption size (enc_size) value. If this enc_size is larger than the expected 16-byte key buffer, it can cause a stack buffer overflow during the reply to LE LTK requests.

The issue arises because the enc_size is used to size fixed-size stack operations without proper validation, allowing an oversized enc_size to overflow the reply stack buffer. The vulnerability was fixed by adding validation to reject enc_size values that are too large, preventing invalid keys from being stored.

Impact Analysis

This vulnerability can lead to a stack buffer overflow in the Bluetooth management code of the Linux kernel. Such a buffer overflow could potentially be exploited by an attacker to execute arbitrary code, cause a denial of service (system crash), or escalate privileges on the affected system.

Mitigation Strategies

The vulnerability involves an overflow caused by an oversized enc_size value in Bluetooth Long Term Keys (LTK) handling in the Linux kernel.

Immediate mitigation should focus on updating the Linux kernel to a version where this vulnerability is resolved, as the fix involves rejecting oversized enc_size values during validation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43020. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart