2464441 – (CVE-2026-31773) CVE-2026-31773 kernel: Bluetooth: SMP: derive legacy responder STK authentication from MITM state

Bug 2464441 (CVE-2026-31773) - CVE-2026-31773 kernel: Bluetooth: SMP: derive legacy responder STK authentication from MITM state

Summary: CVE-2026-31773 kernel: Bluetooth: SMP: derive legacy responder STK authentica...

Keywords:
Status:	NEW
Alias:	CVE-2026-31773
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-01 15:06 UTC by OSIDB Bzimport
Modified:	2026-05-01 23:13 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-01 15:06:59 UTC

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SMP: derive legacy responder STK authentication from MITM state

The legacy responder path in smp_random() currently labels the stored
STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.
That reflects what the local service requested, not what the pairing
flow actually achieved.

For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear
and the resulting STK should remain unauthenticated even if the local
side requested HIGH security. Use the established MITM state when
storing the responder STK so the key metadata matches the pairing result.

This also keeps the legacy path aligned with the Secure Connections code,
which already treats JUST_WORKS/JUST_CFM as unauthenticated.

Comment 1 Keith Grant 2026-05-01 23:12:31 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050149-CVE-2026-31773-e287@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.