CVE-2021-3658 — Incorrect Authorization in Bluez

CWE-863 — Incorrect Authorization CWE-772 — Missing Release of Resource after Effective Lifetime9 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 77.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bluez Debian Bluez Fedoraproject Fedora

Timeline

PublishedMar 2

Latest updateApr 16

Description

bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDbluez/bluez< 5.61

▶debiandebian/bluez< bluez 5.61-1 (bookworm)

▶Debianbluez/bluez< 5.55-3.1+deb11u2+3

▶Ubuntubluez/bluez< 5.48-0ubuntu3.6+1

▶CVEListV5bluez/bluezFixedin - 5.61 and above.

Also affects: Fedora 34

Patches

Patch: bugzilla.redhat.com ↗Patch: git.kernel.org ↗Patch: github.com ↗

🔴Vulnerability Details

VulDB

BlueZ bluetoothd authorization (Issue 89)↗2026-04-16

▶

GHSA

GHSA-839c-8x38-qf59: bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up↗2022-03-04

▶

OSV

CVE-2021-3658: bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up↗2022-03-02

▶

OSV

bluez vulnerabilities↗2021-11-23

▶

📋Vendor Advisories

Red Hat

kernel: net:sfc: fix non-freed irq in legacy irq mode↗2024-05-21

▶

Ubuntu

BlueZ vulnerabilities↗2021-11-23

▶

Red Hat

bluez: adapter incorrectly restores Discoverable state after powered down↗2021-07-27

▶

Debian

CVE-2021-3658: bluez - bluetoothd from bluez incorrectly saves adapters' Discoverable status when a dev...↗2021

▶