Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-43062
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-05 16:16:15 UTC
Updated2026-05-08 13:16:37 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() l2cap_ecred_reconf_rsp() casts the incoming data to struct l2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes with result at offset 0). This causes two problems: - The sizeof(*rsp) length check requires 8 bytes instead of the correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected with -EPROTO. - rsp->result reads from offset 6 instead of offset 0, returning wrong data when the packet is large enough to pass the check. Fix by using the correct type. Also pass the already byte-swapped result variable to BT_DBG instead of the raw __le16 field.

Risk And Classification

Primary CVSS: v3.1 7.1 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

EPSS: 0.000250000 probability, percentile 0.073250000 (date 2026-05-12)

VersionSourceTypeScoreSeverityVector
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary7.1HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
3.1CNADECLARED7.1HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CVSS v3.1 Breakdown

Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 21d3ba696918d6373233aac0b9d51fcabdedddc0 git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 3b94e62caa1dc1198d0d55d97bd710da1dee15d7 git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 111f74547eee8cfedfb854284e80f35c8a491186 git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 dd3b221e21079ade8263fbb7176f3d55ad75d3b6 git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 d90150c72d2e6a8a3079e88755dafcfbe91c746d git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 5a1ea296f8589ce8f1e3141b2b123b34ad010e19 git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 f110b8f58b254bf997cec1bd60701b7798e9bb82 git Not specified
CNA Linux Linux affected 15f02b91056253e8cdc592888f431da0731337b8 15145675690cab2de1056e7ed68e59cbd0452529 git Not specified
CNA Linux Linux affected 5.7 Not specified
CNA Linux Linux unaffected 5.7 semver Not specified
CNA Linux Linux unaffected 5.10.253 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.203 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.167 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.130 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.78 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.20 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.10 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/15145675690cab2de1056e7ed68e59cbd0452529 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/3b94e62caa1dc1198d0d55d97bd710da1dee15d7 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/111f74547eee8cfedfb854284e80f35c8a491186 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/f110b8f58b254bf997cec1bd60701b7798e9bb82 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/5a1ea296f8589ce8f1e3141b2b123b34ad010e19 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/21d3ba696918d6373233aac0b9d51fcabdedddc0 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/dd3b221e21079ade8263fbb7176f3d55ad75d3b6 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d90150c72d2e6a8a3079e88755dafcfbe91c746d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report