CVE-2021-41229 — Uncontrolled Resource Consumption in Bluez

CWE-400 — Uncontrolled Resource Consumption CWE-401 — Missing Release of Memory after Effective Lifetime6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 86.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bluez Debian Bluez Debian Linux

Timeline

PublishedNov 12

Latest updateNov 23

Description

BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/bluez< bluez 5.62-2 (bookworm)

▶Debianbluez/bluez< 5.55-3.1+deb11u2+3

▶Ubuntubluez/bluez< 5.48-0ubuntu3.6+1

▶CVEListV5bluez/bluez= 5.58

▶NVDbluez/bluez5.58

Also affects: Debian Linux 10.0, 9.0

🔴Vulnerability Details

OSV

bluez vulnerabilities↗2021-11-23

▶

OSV

CVE-2021-41229: BlueZ is a Bluetooth protocol stack for Linux↗2021-11-12

▶

📋Vendor Advisories

Ubuntu

BlueZ vulnerabilities↗2021-11-23

▶

Red Hat

bluez: memory leak in the SDP protocol↗2021-11-12

▶

Debian

CVE-2021-41229: bluez - BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerabil...↗2021

▶