HIGH
bluetooth L2CAP KeySize
CVE-2026-43134
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
KernelScan AI5.4MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ This adds a check for encryption key size upon receiving L2CAP_LE_CONN_REQ which is required by L2CAP/LE/CFC/BV-15-C which expects L2CAP_CR_LE_BAD_KEY_SIZE.
02KernelScan AI Analysis
Risk summary
Bluetooth LE devices can establish L2CAP connections with insufficient encryption key sizes, potentially allowing eavesdropping or data manipulation. Attackers within Bluetooth range can exploit this to bypass intended security levels.
Vulnerability analysis
The l2cap_le_connect_req function in the Bluetooth L2CAP subsystem fails to validate encryption key size when processing LE connection requests. The fix adds a call to l2cap_check_enc_key_size() to ensure the key meets security requirements before accepting connections. This is exploitable by any Bluetooth LE device within radio range (typically <10 meters) without requiring authentication or special privileges.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.252 | 335071c0c363 |
| 5.15 | 5.15.202 | fa6ad76fa862 |
| 6.1 | 6.1.165 | 9118601ff90b |
| 6.12 | 6.12.75 | ec91078e1321 |
| 6.18 | 6.18.16 | 96581749c7c1 |
| 6.19 | 6.19.6 | 8dd43f9a9323 |
| 6.6 | 6.6.128 | 481ea39b342c |
| mainline | 7.0 | 138d7eca445e |