HIGH
bluetooth L2CAP TypeConfusion
CVE-2026-43062
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
KernelScan AI5.9MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() l2cap_ecred_reconf_rsp() casts the incoming data to struct l2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes with result at offset 0). This causes two problems: - The sizeof(*rsp) length check requires 8 bytes instead of the correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected with -EPROTO. - rsp->result reads from offset 6 instead of offset 0, returning wrong data when the packet is large enough to pass the check. Fix by using the correct type. Also pass the already byte-swapped result variable to BT_DBG instead of the raw __le16 field.
02KernelScan AI Analysis
Risk summary
Bluetooth devices using Enhanced Credit Based Mode are vulnerable to packet rejection and incorrect data processing when handling L2CAP reconfiguration responses. Attackers within Bluetooth range can cause denial of service or potentially trigger unexpected behavior by sending malformed L2CAP packets.
Vulnerability analysis
The vulnerability stems from l2cap_ecred_reconf_rsp() incorrectly casting incoming L2CAP_ECRED_RECONF_RSP packets to struct l2cap_ecred_conn_rsp instead of struct l2cap_ecred_reconf_rsp. This type confusion causes two issues: valid 2-byte reconfiguration response packets are rejected because the code expects 8 bytes, and when packets are large enough to pass the length check, the result field is read from the wrong offset (6 instead of 0), leading to incorrect data interpretation. The fix corrects the struct type and improves debug output. The attack surface is limited to adjacent Bluetooth attackers who can send crafted L2CAP packets to trigger the vulnerable code path in Enhanced Credit Based Mode connections.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 21d3ba696918 |
| 5.15 | 5.15.203 | 3b94e62caa1d |
| 6.1 | 6.1.167 | 111f74547eee |
| 6.12 | 6.12.78 | d90150c72d2e |
| 6.18 | 6.18.20 | 5a1ea296f858 |
| 6.19 | 6.19.10 | f110b8f58b25 |
| 6.6 | 6.6.130 | dd3b221e2107 |
| mainline | 7.0 | 15145675690c |