HIGH
bluetooth MGMT LTK Overflow
CVE-2026-43020
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate LTK enc_size on load Load Long Term Keys stores the user-provided enc_size and later uses it to size fixed-size stack operations when replying to LE LTK requests. An enc_size larger than the 16-byte key buffer can therefore overflow the reply stack buffer. Reject oversized enc_size values while validating the management LTK record so invalid keys never reach the stored key state.
02KernelScan AI Analysis
Risk summary
Local attackers with Bluetooth management privileges can trigger a stack buffer overflow by providing oversized encryption key sizes through the management interface. This can lead to arbitrary code execution in kernel context, potentially allowing privilege escalation to root.
Vulnerability analysis
The vulnerability occurs in the Bluetooth management interface's Long Term Key (LTK) loading functionality. The mgmt_ltk_info structure accepts a user-provided enc_size field without validation, storing it for later use in stack operations. When replying to LE LTK requests, the kernel uses this enc_size to size fixed-size stack buffers, but the validation function ltk_is_valid() did not check if enc_size exceeds the 16-byte key buffer size. An attacker can provide an enc_size larger than sizeof(key->val) (16 bytes), causing stack buffer overflow when the kernel processes LTK requests. The fix adds a bounds check in ltk_is_valid() to reject LTK records where enc_size exceeds the key buffer size, preventing invalid keys from reaching the stored state. This requires local access with Bluetooth management capabilities (typically CAP_NET_ADMIN or equivalent privileges).
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 0f37d1e65c6d |
| 5.15 | 5.15.203 | 257cdb960d8f |
| 6.1 | 6.1.168 | c34577f517b5 |
| 6.12 | 6.12.81 | 82f342b3b006 |
| 6.18 | 6.18.22 | 50fb64defa72 |
| 6.19 | 6.19.12 | 40ba329e8b4c |
| 6.6 | 6.6.134 | f71695e81f4c |
| mainline | 7.0 | b8dbe9648d69 |