CVE-2026-43020 Overview
CVE-2026-43020 is a stack buffer overflow vulnerability in the Linux kernel's Bluetooth Management (MGMT) interface. The flaw resides in the Long Term Key (LTK) loading path, where the kernel stores a user-supplied enc_size field without validating its bounds. The stored value is later used to size fixed stack operations when responding to LE LTK requests. An enc_size value larger than the 16-byte key buffer can overflow the reply stack buffer. The fix rejects oversized enc_size values during validation of the management LTK record so invalid keys never reach the stored key state.
Critical Impact
A local user with privileges to issue Bluetooth MGMT commands can overflow a kernel stack buffer, potentially leading to kernel memory corruption, denial of service, or local privilege escalation.
Affected Products
- Linux kernel Bluetooth subsystem (MGMT interface)
- Multiple stable Linux kernel branches receiving backported fixes
- Distributions shipping affected upstream kernels
Discovery Timeline
- 2026-05-01 - CVE-2026-43020 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43020
Vulnerability Analysis
The vulnerability is a stack-based buffer overflow [CWE-121] in the Bluetooth MGMT subsystem of the Linux kernel. The MGMT interface allows privileged userspace to load Long Term Keys used for Bluetooth Low Energy (LE) link encryption. Each LTK record carries an enc_size field describing the encryption key length in bytes, which must not exceed 16.
The original code path stored the user-supplied enc_size directly into the kernel key state without range checks. When the kernel later replied to an LE LTK request, it copied data into a 16-byte fixed stack buffer using the stored enc_size as the length. Supplying an enc_size greater than 16 caused the copy to write beyond the buffer boundary, corrupting adjacent stack memory including saved registers and return addresses.
Root Cause
The root cause is missing input validation on the enc_size parameter in the Load Long Term Keys MGMT command handler. The handler accepted any 8-bit value and persisted it. Trust in this stored value at the LE LTK reply path created a TOCTOU-style assumption that the size was within Bluetooth specification bounds. The patch adds explicit validation that rejects records where enc_size exceeds the 16-byte maximum before the key reaches stored state.
Attack Vector
Exploitation requires local access with the CAP_NET_ADMIN capability or equivalent privileges to issue Bluetooth MGMT commands over the HCI socket. An attacker submits a crafted Load Long Term Keys command containing one or more LTK records with enc_size greater than 16. When a peer device subsequently triggers an LE LTK request matching the malicious record, the kernel performs the oversized copy and corrupts the stack frame of the responding function. Because no verified public exploit is available, real-world impact depends on stack canary configuration, KASLR, and overall kernel hardening of the target system.
No public proof-of-concept code has been published. Refer to the upstream commits referenced below for the technical fix details.
Detection Methods for CVE-2026-43020
Indicators of Compromise
- Kernel oops, panic, or stack-protector (__stack_chk_fail) messages originating from the Bluetooth LE LTK reply path
- Unexpected reboots or crashes on systems with active Bluetooth LE pairings shortly after MGMT key load operations
- Audit records showing non-root processes invoking Bluetooth MGMT commands with unusual LTK payloads
Detection Strategies
- Monitor kernel ring buffer (dmesg) and journalctl -k for stack corruption warnings tied to hci, mgmt, or smp symbols
- Enable auditd rules on the HCI socket family (AF_BLUETOOTH) to record processes issuing MGMT_OP_LOAD_LONG_TERM_KEYS commands
- Compare running kernel version and build against the patched commits listed in the Linux stable tree
Monitoring Recommendations
- Track which user accounts and services hold CAP_NET_ADMIN and can interact with /dev/rfkill or HCI sockets
- Alert on repeated Bluetooth subsystem crashes across the fleet, which can indicate exploitation attempts
- Inventory hosts where Bluetooth is enabled but not required, since reducing the attack surface limits exposure
How to Mitigate CVE-2026-43020
Immediate Actions Required
- Apply vendor kernel updates that incorporate the upstream fixes in commits 0f37d1e, 257cdb9, 40ba329, 50fb64d, 82f342b, b8dbe96, c34577f, and f71695e
- Restrict CAP_NET_ADMIN and HCI socket access to trusted system services only
- Disable the Bluetooth subsystem on servers and endpoints that do not require it
Patch Information
The Linux kernel maintainers have merged the fix across multiple stable branches. The patch validates enc_size in the management LTK record handler and rejects values greater than 16 bytes before the key is stored. Refer to the upstream commits: 0f37d1e, 257cdb9, 40ba329, 50fb64d, 82f342b, b8dbe96, c34577f, and f71695e. Apply distribution updates as soon as they are released.
Workarounds
- Blacklist the bluetooth and btusb kernel modules on systems that do not need Bluetooth functionality
- Stop and disable the bluetooth.service unit through systemctl disable --now bluetooth.service
- Use setcap audits and Linux Security Modules such as SELinux or AppArmor to constrain which binaries may open AF_BLUETOOTH sockets
# Configuration example: disable Bluetooth stack until patched kernel is deployed
sudo systemctl disable --now bluetooth.service
echo 'install bluetooth /bin/true' | sudo tee /etc/modprobe.d/disable-bluetooth.conf
echo 'install btusb /bin/true' | sudo tee -a /etc/modprobe.d/disable-bluetooth.conf
sudo rmmod btusb bluetooth 2>/dev/null || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
