Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()_CVE-2026-43062

7.1 / 10

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()

l2cap_ecred_reconf_rsp() casts the incoming data to struct
l2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with
result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes
with result at offset 0).

This causes two problems:

- The sizeof(*rsp) length check requires 8 bytes instead of the
correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected
with -EPROTO.

- rsp->result reads from offset 6 instead of offset 0, returning
wrong data when the packet is large enough to pass the check.

Fix by using the correct type. Also pass the already byte-swapped
result variable to BT_DBG instead of the raw __le16 field.

Basic Information

ID CVE-2026-43062

Source Linux

Published May 5, 2026 at 15:17

Modified May 8, 2026 at 12:40

Affected Product

Vendor Linux

Product Linux

Version 15f02b91056253e8cdc592888f431da0731337b8

Affected Versions Linux Linux 15f02b91056253e8cdc592888f431da0731337b8
Linux Linux 15f02b91056253e8cdc592888f431da0731337b8
Linux Linux 15f02b91056253e8cdc592888f431da0731337b8
Linux Linux 15f02b91056253e8cdc592888f431da0731337b8
Linux Linux 15f02b91056253e8cdc592888f431da0731337b8
Linux Linux 15f02b91056253e8cdc592888f431da0731337b8
Linux Linux 15f02b91056253e8cdc592888f431da0731337b8
Linux Linux 15f02b91056253e8cdc592888f431da0731337b8
Linux Linux 5.7

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()\n\nl2cap_ecred_reconf_rsp() casts the incoming data to struct\nl2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with\nresult at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes\nwith result at offset 0).\n\nThis causes two problems:\n\n - The sizeof(*rsp) length check requires 8 bytes instead of the\n   correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected\n   with -EPROTO.\n\n - rsp->result reads from offset 6 instead of offset 0, returning\n   wrong data when the packet is large enough to pass the check.\n\nFix by using the correct type.  Also pass the already byte-swapped\nresult variable to BT_DBG instead of the raw __le16 field.",
    "published": "2026-05-05T15:17:27.830Z",
    "modified": "2026-05-08T12:40:16.025Z",
    "type": "cve",
    "title": "Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/21d3ba696918d6373233aac0b9d51fcabdedddc0\nhttps://git.kernel.org/stable/c/3b94e62caa1dc1198d0d55d97bd710da1dee15d7\nhttps://git.kernel.org/stable/c/111f74547eee8cfedfb854284e80f35c8a491186\nhttps://git.kernel.org/stable/c/dd3b221e21079ade8263fbb7176f3d55ad75d3b6\nhttps://git.kernel.org/stable/c/d90150c72d2e6a8a3079e88755dafcfbe91c746d\nhttps://git.kernel.org/stable/c/5a1ea296f8589ce8f1e3141b2b123b34ad010e19\nhttps://git.kernel.org/stable/c/f110b8f58b254bf997cec1bd60701b7798e9bb82\nhttps://git.kernel.org/stable/c/15145675690cab2de1056e7ed68e59cbd0452529",
    "id": "CVE-2026-43062",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 15f02b91056253e8cdc592888f431da0731337b8\nLinux Linux 15f02b91056253e8cdc592888f431da0731337b8\nLinux Linux 15f02b91056253e8cdc592888f431da0731337b8\nLinux Linux 15f02b91056253e8cdc592888f431da0731337b8\nLinux Linux 15f02b91056253e8cdc592888f431da0731337b8\nLinux Linux 15f02b91056253e8cdc592888f431da0731337b8\nLinux Linux 15f02b91056253e8cdc592888f431da0731337b8\nLinux Linux 15f02b91056253e8cdc592888f431da0731337b8\nLinux Linux 5.7",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "15f02b91056253e8cdc592888f431da0731337b8",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply