CVE-2026-31773 Overview
CVE-2026-31773 is a Linux kernel vulnerability in the Bluetooth Security Manager Protocol (SMP) implementation. The legacy responder path in smp_random() incorrectly labels the stored Short Term Key (STK) as authenticated whenever pending_sec_level is set to BT_SECURITY_HIGH. This reflects what the local service requested rather than what the pairing flow actually achieved. The flaw allows Just Works and Just Confirm legacy pairings to produce keys marked authenticated, even when no Man-in-the-Middle (MITM) protection occurred during pairing.
Critical Impact
An adjacent attacker within Bluetooth range can leverage incorrect key authentication metadata to bypass MITM protections, leading to compromise of confidentiality, integrity, and availability of the affected system.
Affected Products
- Linux kernel Bluetooth subsystem (SMP module)
- Distributions shipping vulnerable kernel versions prior to the upstream fix
- Devices using legacy Bluetooth pairing (Just Works / Just Confirm flows)
Discovery Timeline
- 2026-05-01 - CVE-2026-31773 published to NVD
- 2026-05-03 - Last updated in NVD database
Technical Details for CVE-2026-31773
Vulnerability Analysis
The vulnerability resides in the Linux kernel Bluetooth SMP implementation, specifically in the legacy responder code path within smp_random(). When the local service requests BT_SECURITY_HIGH, the responder stores the resulting STK with the authenticated flag set, regardless of whether MITM authentication was actually performed during the pairing exchange.
For legacy Just Works and Just Confirm pairings, the SMP_FLAG_MITM_AUTH flag remains clear because no out-of-band confirmation or passkey entry occurs. Despite this, the resulting STK was being persisted as authenticated. Consumers of the key metadata then treat the link as MITM-protected when no such protection exists.
The fix derives the responder STK authentication state from the actual MITM flag rather than from the requested security level. This aligns the legacy code path with the Secure Connections implementation, which already correctly treats Just Works and Just Confirm as unauthenticated.
Root Cause
The root cause is incorrect mapping of pairing requirements to pairing outcomes. The code conflated pending_sec_level == BT_SECURITY_HIGH (a request) with successful MITM authentication (a result). This is a logic flaw in security state tracking rather than a memory safety issue.
Attack Vector
Exploitation requires adjacent network access over Bluetooth. An attacker within radio range can initiate a legacy pairing using Just Works while the victim service requests HIGH security. The resulting STK will be marked authenticated in kernel state, allowing downstream operations to trust a link that lacks MITM protection. This enables active attackers to interpose on subsequent encrypted traffic that depends on the authenticated key flag for trust decisions.
No verified public exploitation code is available. The vulnerability mechanism is described in the upstream commits referenced in the Linux kernel stable git tree.
Detection Methods for CVE-2026-31773
Indicators of Compromise
- Unexpected Bluetooth pairing events from devices not previously paired with the host
- Kernel log entries from the bluetooth subsystem showing legacy pairing completions when Secure Connections was expected
- STKs stored with authenticated metadata on devices that completed Just Works flows
Detection Strategies
- Audit kernel versions across the fleet against upstream stable releases containing the SMP responder fix
- Monitor hci0 and related Bluetooth interfaces with btmon for legacy pairing transactions involving HIGH security requests
- Inspect paired-device databases for entries claiming MITM authentication on links that used Just Works
Monitoring Recommendations
- Forward Bluetooth daemon logs (bluetoothd) and kernel dmesg Bluetooth events to centralized logging
- Alert on pairing requests originating from unknown adjacent devices, especially in fixed-location systems
- Track installed kernel package versions and flag hosts running pre-patch kernels in vulnerability management dashboards
How to Mitigate CVE-2026-31773
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the kernel.org stable commits and reboot affected hosts
- Update to a distribution kernel package that includes the SMP responder authentication fix
- Disable Bluetooth on systems where it is not required, especially servers and fixed infrastructure
Patch Information
The fix is distributed across multiple stable kernel branches. Relevant upstream commits include 061ee71ac6b0, 0afc846bd800, 20756fec2f01, 667f44f1392d, 929db734d12d, 9a38659a3d06, 9a6d0db176f0, and b1c6a8e554a3. See the Linux kernel stable tree commit for the canonical change. Distribution vendors will backport the fix into their supported kernel branches.
Workarounds
- Unload the bluetooth kernel module on systems that do not require Bluetooth connectivity using modprobe -r bluetooth
- Configure systems to require Secure Connections only, rejecting legacy pairing where the platform supports it
- Restrict Bluetooth discoverability and pairing windows to reduce exposure to adjacent attackers
# Configuration example: blacklist Bluetooth on hosts that do not need it
echo 'install bluetooth /bin/true' | sudo tee /etc/modprobe.d/disable-bluetooth.conf
sudo systemctl disable --now bluetooth.service
sudo rmmod bluetooth || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
