HIGH
bluetooth SMP AuthBypass
CVE-2026-31773
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.0HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: derive legacy responder STK authentication from MITM state The legacy responder path in smp_random() currently labels the stored STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH. That reflects what the local service requested, not what the pairing flow actually achieved. For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear and the resulting STK should remain unauthenticated even if the local side requested HIGH security. Use the established MITM state when storing the responder STK so the key metadata matches the pairing result. This also keeps the legacy path aligned with the Secure Connections code, which already treats JUST_WORKS/JUST_CFM as unauthenticated.
02KernelScan AI Analysis
Risk summary
Bluetooth devices using legacy SMP pairing may incorrectly mark encryption keys as authenticated when only Just Works pairing was performed. This allows attackers in Bluetooth range to bypass authentication checks and establish trusted connections without proper MITM protection.
Vulnerability analysis
The vulnerability occurs in the Bluetooth SMP legacy responder path where STK authentication metadata is set based on the requested security level rather than the actual pairing method used. When Just Works or Confirm pairing is performed, no MITM authentication occurs (SMP_FLAG_MITM_AUTH remains clear), but if BT_SECURITY_HIGH was requested, the STK was incorrectly marked as authenticated. The fix changes the logic to check the actual MITM authentication flag, ensuring key metadata accurately reflects the security properties achieved during pairing. This is exploitable by any device within Bluetooth range during pairing operations.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 3.16 | 3.16 | 9a38659a3d06 |
| 5.10 | 5.10.253 | 667f44f1392d |
| 5.15 | 5.15.203 | 929db734d12d |
| 6.1 | 6.1.168 | b1c6a8e554a3 |
| 6.12 | 6.12.81 | 061ee71ac6b0 |
| 6.18 | 6.18.22 | 9a6d0db176f0 |
| 6.19 | 6.19.12 | 20756fec2f01 |
| 6.6 | 6.6.134 | 0afc846bd800 |
| mainline | 7.0 | — |