CVE-2026-43062 Linux CVE debrief

Who should care

Organizations running Linux systems with Bluetooth capabilities, particularly those using Enhanced Credit-Based Flow Control for L2CAP channels in industrial, medical, or enterprise environments where Bluetooth connectivity is required for adjacent-network device communication.

Technical summary

The vulnerability exists in `l2cap_ecred_reconf_rsp()` in the Linux kernel's Bluetooth L2CAP implementation. The function incorrectly uses `struct l2cap_ecred_conn_rsp` (8 bytes, result at offset 6) instead of `struct l2cap_ecred_reconf_rsp` (2 bytes, result at offset 0). This type confusion causes: (1) rejection of valid 2-byte `L2CAP_ECRED_RECONF_RSP` packets due to `sizeof(*rsp)` requiring 8 bytes, returning `-EPROTO`; and (2) incorrect result parsing at offset 6 when packets exceed the erroneous length threshold. The fix uses the correct struct type and passes the byte-swapped result to `BT_DBG`. Affected versions span 5.7 through 5.10.252, 5.11 through 5.15.202, 5.16 through 6.1.166, 6.2 through 6.6.129, 6.7 through 6.12.77, 6.13 through 6.18.19, 6.19 through 6.19.9, and 7.0-rc1 through 7.0-rc4.

Defensive priority

high

Recommended defensive actions

• Apply stable kernel patches for affected versions as listed in vendor references
• Prioritize patching systems with active Bluetooth interfaces in adjacent network scenarios
• Monitor kernel changelogs for backported fixes if running distribution-customized kernels
• Validate Bluetooth L2CAP ECRED functionality after patching to ensure reconfiguration responses process correctly

Evidence notes

CVE description confirms type confusion with incorrect struct cast in l2cap_ecred_reconf_rsp(). NVD CPE criteria specify affected kernel version ranges. Eight patch commits are referenced from git.kernel.org stable tree. CVSS 3.1 vector AV:A indicates adjacent network attack vector, consistent with Bluetooth proximity requirements.

Official resources