CVE-2026-43062
Bluetooth Type Confusion in Linux Kernel L2CAP
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | kernel | * |
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's Bluetooth L2CAP implementation, specifically in the function l2cap_ecred_reconf_rsp(). The function incorrectly casts incoming data to the wrong structure type, treating it as l2cap_ecred_conn_rsp (8 bytes) instead of the correct l2cap_ecred_reconf_rsp (2 bytes).
Because of this incorrect casting, two issues arise: first, the length check expects 8 bytes instead of 2, causing valid packets to be rejected; second, the code reads the result field from the wrong offset, returning incorrect data when the packet is large enough.
The fix involves using the correct structure type and properly handling the result variable.
How can this vulnerability impact me? :
This vulnerability can cause valid Bluetooth L2CAP ECRED reconnection response packets to be rejected incorrectly, potentially disrupting Bluetooth communication.
Additionally, because the result field is read from the wrong offset, the system may process incorrect data, which could lead to unexpected behavior or errors in Bluetooth connection handling.