Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-01T00:00:00 kernel: Bluetooth: SMP: derive legacy responder STK authentication from MITM state 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CWE-372

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: derive legacy responder STK authentication from MITM state The legacy responder path in smp_random() currently labels the stored STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH. That reflects what the local service requested, not what the pairing flow actually achieved. For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear and the resulting STK should remain unauthenticated even if the local side requested HIGH security. Use the established MITM state when storing the responder STK so the key metadata matches the pairing result. This also keeps the legacy path aligned with the Secure Connections code, which already treats JUST_WORKS/JUST_CFM as unauthenticated.

A flaw was found in the Linux kernel's Bluetooth Security Manager Protocol (SMP). The system incorrectly labels a Short Term Key (STK) as authenticated during legacy pairing, even when Man-in-the-Middle (MITM) protection was not established. This misrepresentation of the key's authentication status could allow an attacker to bypass expected security measures, potentially leading to unauthorized access or a downgrade of the Bluetooth connection's security.

Legacy Bluetooth SMP responder STK derivation must incorporate MITM state so pairing strength matches the negotiated threat model. Red Hat treats this as cryptographic protocol correctness for BR/EDR LE legacy pairing. To mitigate this issue, prevent the bluetooth module from being loaded. See https://access.redhat.com/solutions/41278 for instructions. Red Hat Enterprise Linux 10 Affected kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel-rt Red Hat Enterprise Linux 8 Affected kernel Red Hat Enterprise Linux 8 Affected kernel-rt Red Hat Enterprise Linux 9 Affected kernel Red Hat Enterprise Linux 9 Affected kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-31773 https://nvd.nist.gov/vuln/detail/CVE-2026-31773 https://lore.kernel.org/linux-cve-announce/2026050149-CVE-2026-31773-e287@gregkh/T