CVE-2019-8921 — Insufficient Verification of Data Authenticity in Bluez

CWE-345 — Insufficient Verification of Data Authenticity CWE-20 — Improper Input Validation CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 88.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bluez Debian Bluez Debian Linux

Timeline

PublishedNov 29

Latest updateApr 16

Description

An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check whether the CSTATE data is the same in consecutive requests, and instead simply tr…

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/bluez< bluez 5.54-1 (bookworm)

▶Debianbluez/bluez< 5.54-1+3

▶Ubuntubluez/bluez< 5.37-0ubuntu5.3+esm5

▶NVDbluez/bluez5.48

Also affects: Debian Linux 10.0

Patches

Patch: ssd-disclosure.com ↗Patch: ssd-disclosure.com ↗

🔴Vulnerability Details

VulDB

BlueZ up to 5.48 bluetoothd sdpd-request.c heap-based overflow (Nessus ID 216160)↗2026-04-16

▶

OSV

bluez vulnerabilities↗2025-02-12

▶

GHSA

GHSA-69h8-fh92-ch8q: An issue was discovered in bluetoothd in BlueZ through 5↗2021-11-30

▶

OSV

CVE-2019-8921: An issue was discovered in bluetoothd in BlueZ through 5↗2021-11-29

▶

📋Vendor Advisories

Ubuntu

BlueZ vulnerabilities↗2025-02-12

▶

Red Hat

bluez: information leak in service_attr_req() in sdpd-request.c via a crafted CSTATE↗2019-02-25

▶

Debian

CVE-2019-8921: bluez - An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability l...↗2019

▶