#VU79524 Memory leak in BlueZ


Published: 2023-08-15

Vulnerability identifier: #VU79524

Vulnerability risk: Medium

CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41229

CWE-ID: CWE-401

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
BlueZ
Universal components / Libraries / Libraries used by multiple products

Vendor: BlueZ Project

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in sdp_cstate_alloc_buf() function. A remote attacker can send specially crafted packets to the device and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

BlueZ: 5.58

External links
http://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq
http://lists.debian.org/debian-lts-announce/2021/11/msg00022.html
http://security.netapp.com/advisory/ntap-20211203-0004/
http://lists.debian.org/debian-lts-announce/2022/10/msg00026.html

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for bluez
SUSE update for bluez
SUSE update for bluez
SUSE update for bluez
SUSE update for bluez
openEuler update for bluez
Denial of service in BlueZ