CVE-2026-43062

/* * Conceptual PoC for CVE-2026-43062 * Demonstrating the struct size mismatch and offset error. */ #include <stdio.h> #include <stdint.h> // Correct struct (2 bytes) struct l2cap_ecred_reconf_rsp { uint16_t result; // Offset 0 } __attribute__((packed)); // Incorrect struct used in bug (8 bytes) struct l2cap_ecred_conn_rsp { uint16_t dcid; uint16_t scid; uint16_t result; // Offset 6 uint16_t maxlen; } __attribute__((packed)); int main() { // Simulate a valid 2-byte response packet unsigned char packet[2] = {0x00, 0x00}; // Buggy code cast struct l2cap_ecred_conn_rsp *rsp = (struct l2cap_ecred_conn_rsp *)packet; // 1. Size check fails (requires 8, got 2) if (sizeof(*rsp) != 2) { printf("[VULN] Length check fails: expected %lu, got 2\n", sizeof(*rsp)); } // 2. If length check bypassed (e.g. padding), offset read is wrong unsigned char padded[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF}; rsp = (struct l2cap_ecred_conn_rsp *)padded; printf("[VULN] Reading result from offset 0: 0x%04x\n", ((struct l2cap_ecred_reconf_rsp*)padded)->result); printf("[VULN] Buggy code reads result from offset 6: 0x%04x\n", rsp->result); return 0; }

{"cve": {"id": "CVE-2026-43062", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-05T16:16:15.340", "lastModified": "2026-05-08T13:16:37.303", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()\n\nl2cap_ecred_reconf_rsp() casts the incoming data to struct\nl2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with\nresult at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes\nwith result at offset 0).\n\nThis causes two problems:\n\n - The sizeof(*rsp) length check requires 8 bytes instead of the\n correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected\n with -EPROTO.\n\n - rsp->result reads from offset 6 instead of offset 0, returning\n wrong data when the packet is large enough to pass the check.\n\nFix by using the correct type. Also pass the already byte-swapped\nresult variable to BT_DBG instead of the raw __le16 field."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "references": [{"url": "https://git.kernel.org/stable/c/111f74547eee8cfedfb854284e80f35c8a491186", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/15145675690cab2de1056e7ed68e59cbd0452529", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/21d3ba696918d6373233aac0b9d51fcabdedddc0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3b94e62caa1dc1198d0d55d97bd710da1dee15d7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5a1ea296f8589ce8f1e3141b2b123b34ad010e19", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d90150c72d2e6a8a3079e88755dafcfbe91c746d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dd3b221e21079ade8263fbb7176f3d55ad75d3b6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f110b8f58b254bf997cec1bd60701b7798e9bb82", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}