CVE-2026-43334: Linux Kernel Auth Bypass Vulnerability

CVE-2026-43334 Overview

CVE-2026-43334 is a vulnerability in the Linux kernel Bluetooth Security Manager Protocol (SMP) implementation. The flaw allows an initiator device to bypass the responder's local BT_SECURITY_HIGH Man-in-the-Middle (MITM) protection requirement during pairing. The responder builds its pairing response directly from the initiator's auth_req field before enforcing local security policy. This inconsistency causes tk_request() to select the JUST_CFM association method instead of an authenticated method, weakening pairing security on the adjacent Bluetooth network.

Critical Impact

An adjacent attacker within Bluetooth range can force a downgrade of pairing authentication, bypassing MITM protection and compromising the confidentiality and integrity of paired sessions.

Affected Products

• Linux Kernel (multiple stable branches prior to fix commits)
• Linux Kernel 7.0 release candidates (rc1 through rc6)
• Bluetooth-enabled Linux distributions using the affected kernel versions

Discovery Timeline

• 2026-05-08 - CVE-2026-43334 published to NVD
• 2026-05-15 - Last updated in NVD database

Technical Details for CVE-2026-43334

Vulnerability Analysis

The vulnerability resides in the smp_cmd_pairing_req() function within the Linux kernel Bluetooth SMP code. When a remote initiator sends a pairing request, the responder constructs its pairing response using the initiator's auth_req field directly. The responder fails to apply its own BT_SECURITY_HIGH requirements before generating the response.

If the initiator omits the SMP_AUTH_MITM flag, the responder's reply also omits it. This occurs even when the local side mandates MITM protection. The downstream tk_request() function then evaluates an auth value that lacks SMP_AUTH_MITM and may select the JUST_CFM (Just Works confirmation) association method.

This breaks the pairing policy contract. The responder enforces HIGH security but negotiates an unauthenticated key exchange. An adjacent attacker can exploit this to complete pairing without satisfying MITM protection, undermining the confidentiality and integrity guarantees of the Bluetooth link.

Root Cause

The root cause is an order-of-operations flaw in pairing parameter negotiation. smp_cmd_pairing_req() builds the pairing response before validating local security requirements against IO capability constraints. The responder auth bits and the later method selection are not aligned with the enforced pairing policy.

Attack Vector

Exploitation requires adjacent network access over Bluetooth. An attacker initiates pairing with a vulnerable Linux host and crafts a pairing request that omits the SMP_AUTH_MITM flag. The responder echoes the missing flag in its reply, and the subsequent association method downgrades to JUST_CFM. The attacker completes pairing without MITM protection and can intercept or tamper with the Bluetooth session. No prior authentication is required, and no user interaction is needed beyond standard pairing acceptance.

No public proof-of-concept exploit is currently available for this vulnerability. Refer to the upstream kernel commits for technical fix details.

Detection Methods for CVE-2026-43334

Indicators of Compromise

• Unexpected Bluetooth pairing events that complete using the JUST_CFM or Just Works association method on hosts configured for BT_SECURITY_HIGH.
• Kernel log entries showing SMP pairing responses with auth flags inconsistent with configured security policy.
• Bluetooth pairing initiated by unknown adjacent devices within physical range.

Detection Strategies

• Audit kernel versions across Linux fleets and compare against the patched stable commits referenced in the upstream advisories.
• Monitor dmesg and journalctl output for SMP-related messages from the bluetooth subsystem indicating method selection during pairing.
• Capture Bluetooth HCI traces with btmon on sensitive hosts and inspect SMP pairing request and response packets for missing SMP_AUTH_MITM flags.

Monitoring Recommendations

• Forward Bluetooth subsystem logs to a centralized logging platform and alert on pairing completions that do not assert MITM authentication.
• Track host inventory for kernel build numbers and flag systems running affected versions of the Linux kernel.
• Establish a baseline of authorized Bluetooth peers and alert on pairing attempts from unrecognized device addresses.

How to Mitigate CVE-2026-43334

Immediate Actions Required

• Apply the upstream Linux kernel stable patches referenced in the vendor advisories as soon as distribution builds are available.
• Disable Bluetooth on hosts that do not require it, particularly on servers and workstations operating in untrusted RF environments.
• Restrict Bluetooth discoverability and pairing to controlled windows and verified peer devices.

Patch Information

The Linux kernel maintainers have released fixes across multiple stable branches. The patch reorders pairing logic so the responder verifies that MITM can be satisfied by available IO capabilities, then forces SMP_AUTH_MITM into both rsp.auth_req and the local auth value before method selection. Relevant fix commits include Linux Kernel Commit 01bb4045, Linux Kernel Commit 425a22c5, Linux Kernel Commit 7ab69426, Linux Kernel Commit 91649c02, Linux Kernel Commit c8ff0ca6, Linux Kernel Commit d05111bf, Linux Kernel Commit ec17efb1, and Linux Kernel Commit fa14e0e1.

Workarounds

• Disable the Bluetooth subsystem on hosts where it is not operationally required using rfkill block bluetooth or by unloading the bluetooth kernel module.
• Operate sensitive Linux hosts in environments shielded from untrusted Bluetooth radios until kernel patches are deployed.
• Remove existing pairings with untrusted devices and re-pair only after patched kernels are installed.

# Block Bluetooth radio and prevent automatic pairing until patched
sudo rfkill block bluetooth
sudo systemctl stop bluetooth.service
sudo systemctl disable bluetooth.service

# Verify installed kernel version against patched stable branches
uname -r