CVE-2026-43062
Analyzed Analyzed - Analysis Complete
Bluetooth Type Confusion in Linux Kernel L2CAP

Publication date: 2026-05-05

Last updated on: 2026-05-29

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() l2cap_ecred_reconf_rsp() casts the incoming data to struct l2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes with result at offset 0). This causes two problems: - The sizeof(*rsp) length check requires 8 bytes instead of the correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected with -EPROTO. - rsp->result reads from offset 6 instead of offset 0, returning wrong data when the packet is large enough to pass the check. Fix by using the correct type. Also pass the already byte-swapped result variable to BT_DBG instead of the raw __le16 field.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43062
EUVD
EUVD-2026-27358
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 5.7 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth L2CAP implementation, specifically in the function l2cap_ecred_reconf_rsp(). The function incorrectly casts incoming data to the wrong structure type, treating it as l2cap_ecred_conn_rsp (8 bytes) instead of the correct l2cap_ecred_reconf_rsp (2 bytes).

Because of this incorrect casting, two issues arise: first, the length check expects 8 bytes instead of 2, causing valid packets to be rejected; second, the code reads the result field from the wrong offset, returning incorrect data when the packet is large enough.

The fix involves using the correct structure type and properly handling the result variable.

Impact Analysis

This vulnerability can cause valid Bluetooth L2CAP ECRED reconnection response packets to be rejected incorrectly, potentially disrupting Bluetooth communication.

Additionally, because the result field is read from the wrong offset, the system may process incorrect data, which could lead to unexpected behavior or errors in Bluetooth connection handling.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43062. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart