In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix type confusion in l2capecredreconf_rsp()
l2capecredreconfrsp() casts the incoming data to struct l2capecredconnrsp (the ECRED connection response, 8 bytes with result at offset 6) instead of struct l2capecredreconf_rsp (2 bytes with result at offset 0).
This causes two problems:
The sizeof(*rsp) length check requires 8 bytes instead of the correct 2, so valid L2CAPECREDRECONF_RSP packets are rejected with -EPROTO.
rsp->result reads from offset 6 instead of offset 0, returning wrong data when the packet is large enough to pass the check.
Fix by using the correct type. Also pass the already byte-swapped result variable to BT_DBG instead of the raw __le16 field.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43062.json",
"cna_assigner": "Linux"
}