The Key Negotiation of Bluetooth Vulnerability (CVE-2019-9506) does not directly impact Bluetooth LE, however similar encryption key length exchanges exist within the LE authentication and encryption procedures that could theoretically be modified in a similar fashion. Because the encryption key length cannot be lowered below 7 octets by an attacker, the LE specification is not considered similarly vulnerable. How it is impacted, and how a potential attack should be mitigated, depending on the version of the Core specification supported, and whether LE legacy pairing or LE secure connections is used.
LE legacy pairing (Core 4.0 and 4.1) is not vulnerable to an attack similar to the one described in the key-negotiation vulnerability because it uses the maximum key size reported by each device involved in pairing in the material used to craft the confirmation value used to validate pairing. A MITM cannot change either number and have the pairing succeed.
LE Secure Connections (Core 4.2 through 5.1) security modes 1 levels 2 and 3 are theoretically vulnerable to a similar class of attack because the maximum key size shared is not used in constructing the evidence exchanged during pairing, however, it is the host which decides if the maximum encryption key length is sufficient so there is not an equivalent vulnerability that potentially affects all conforming LE implementations.
LE provides security mode 1 level 4, which restricts the encryption key length to 16 octets (128 bits). Hence, the resolution to potential encryption key length issues with LE secure connections is to use security mode 1 level 4.