CVE-2026-43020
Bluetooth: MGMT LTK Load Validation Flaw in Linux Kernel
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's Bluetooth management component related to handling Long Term Keys (LTK). Specifically, when loading LTKs, the system accepts a user-provided encryption size (enc_size) value. If this enc_size is larger than the expected 16-byte key buffer, it can cause a stack buffer overflow during the reply to LE LTK requests.
The issue arises because the enc_size is used to size fixed-size stack operations without proper validation, allowing an oversized enc_size to overflow the reply stack buffer. The vulnerability was fixed by adding validation to reject enc_size values that are too large, preventing invalid keys from being stored.
How can this vulnerability impact me? :
This vulnerability can lead to a stack buffer overflow in the Bluetooth management code of the Linux kernel. Such a buffer overflow could potentially be exploited by an attacker to execute arbitrary code, cause a denial of service (system crash), or escalate privileges on the affected system.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability involves an overflow caused by an oversized enc_size value in Bluetooth Long Term Keys (LTK) handling in the Linux kernel.
Immediate mitigation should focus on updating the Linux kernel to a version where this vulnerability is resolved, as the fix involves rejecting oversized enc_size values during validation.