CVE-2026-43334 Git CVE debrief

Who should care

Linux kernel and distro maintainers, Bluetooth stack integrators, OEMs shipping Bluetooth-enabled devices, and security teams that rely on Bluetooth pairing with BT_SECURITY_HIGH requirements.

Technical summary

According to the supplied description, smp_cmd_pairing_req() used the initiator’s auth_req to construct the pairing response before enforcing the responder’s local BT_SECURITY_HIGH policy. If the initiator did not request SMP_AUTH_MITM, the responder’s response could also omit it, and tk_request() might then select JUST_CFM even though the local policy required MITM. The fix is to first confirm that MITM is achievable from the IO capabilities and then force SMP_AUTH_MITM into both rsp.auth_req and auth when the local side requires HIGH security, keeping policy enforcement and later method selection aligned.

Defensive priority

High priority. The issue is rated CVSS 8.8 HIGH in the supplied data and affects authentication-policy handling during Bluetooth pairing, with an adjacent-network attack surface.

Recommended defensive actions

• Apply the Linux kernel update that contains the fix for CVE-2026-43334.
• Prioritize updates on systems that use Bluetooth pairing in environments requiring high security or authenticated pairing.
• Verify downstream kernel, distro, and vendor backports that include the MITM enforcement change.
• Retest Bluetooth pairing flows after patching to confirm MITM-required devices still negotiate as expected and that weaker pairing paths are rejected when policy demands it.

Evidence notes

This debrief is based on the supplied CVE description, NVD metadata, and kernel.org stable references. The CVE was published at 2026-05-08T14:16:43.130Z and modified at 2026-05-11T08:16:09.977Z. NVD metadata in the source corpus lists CVSS 3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and vulnStatus Received. No affected version range was provided in the source corpus, so this summary avoids version-specific claims.

Official resources