CVE-2023-50230 — Heap-based Buffer Overflow in Bluez

CWE-122 — Heap-based Buffer Overflow6 documents6 sources

Severity

8.0HIGHNVD

EPSS

3.6%

top 12.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bluez Debian Bluez

Timeline

PublishedMay 3

Latest updateJan 22

Description

BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device. The specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied d…

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages4 packages

▶NVDbluez/bluez5.66 — 5.70

▶debiandebian/bluez< bluez 5.66-1+deb12u2 (bookworm)

▶Debianbluez/bluez< 5.55-3.1+deb11u2+3

▶CVEListV5bluez/bluez5.66

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-50230: BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability↗2024-05-03

▶

GHSA

GHSA-w9r2-6h22-p3p7: BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability↗2024-05-03

▶

📋Vendor Advisories

Ubuntu

BlueZ vulnerabilities↗2025-01-22

▶

Red Hat

bluez: phone book access profile heap-based buffer overflow remote code execution vulnerability↗2024-05-03

▶

Debian

CVE-2023-50230: bluez - BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution...↗2023

▶