CVE-2023-44431 — Stack-based Buffer Overflow in Bluez

CWE-121 — Stack-based Buffer Overflow5 documents5 sources

Severity

8.0HIGHNVD

EPSS

2.5%

top 14.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bluez Debian Bluez

Timeline

PublishedMay 3

Description

BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of the length of user-supplied data prior to…

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages2 packages

▶NVDbluez/bluez5.66

▶debiandebian/bluez

🔴Vulnerability Details

GHSA

GHSA-crgw-4rjj-j4j9: BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code Execution Vulnerability↗2024-05-03

▶

OSV

CVE-2023-44431: BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code Execution Vulnerability↗2024-05-03

▶

📋Vendor Advisories

Red Hat

bluez: AVRCP stack-based buffer overflow remote code execution vulnerability↗2024-05-03

▶

Debian

CVE-2023-44431: bluez - BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code Execution Vuln...↗2023

▶