CVE-2017-1000251

HIGH

Linux Kernel 2.6.32-4.13.1 - Remote Code Execution via Bluetooth L2CAP Configuration Response

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 10 public exploits for CVE-2017-1000251. PoCs published by Marcin Kozlowski, Miracle963, hayzamjs.

AI-analyzed exploit summary This is a Proof of Concept (PoC) for CVE-2017-1000251, demonstrating a Denial of Service (DoS) attack on Linux Bluetooth stacks by sending malformed L2CAP configuration requests. The exploit leverages Scapy to craft and send these packets, causing a crash in vulnerable systems.

Description

The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.

Exploits (10)

exploitdb WORKING POC
by Marcin Kozlowski · textdoslinux
https://www.exploit-db.com/exploits/42762

This is a Proof of Concept (PoC) for CVE-2017-1000251, demonstrating a Denial of Service (DoS) attack on Linux Bluetooth stacks by sending malformed L2CAP configuration requests. The exploit leverages Scapy to craft and send these packets, causing a crash in vulnerable systems.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel v3.3-rc1 and later (Bluetooth stack)
No auth needed
Prerequisites: Scapy installed · Bluetooth interface available · Target device with vulnerable Linux kernel
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 38 stars
by Miracle963 · pythonpoc
https://github.com/Miracle963/bluetooth-cve/tree/master/littl_tools/CVE-2017-1000251

This repository contains a functional PoC for CVE-2017-1000251, a Bluetooth stack vulnerability in Linux. The exploit sends malformed L2CAP packets to trigger a remote DoS by exploiting improper handling of L2CAP configuration requests.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Linux Bluetooth stack (BlueZ)
No auth needed
Prerequisites: Bluetooth enabled on target · Target address (MAC)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 17 stars
by hayzamjs · poc
https://github.com/hayzamjs/Blueborne-CVE-2017-1000251

This repository contains a functional proof-of-concept exploit for CVE-2017-1000251, a Bluetooth vulnerability. The exploit uses Scapy to craft and send malformed L2CAP packets to trigger a denial-of-service (DoS) condition on vulnerable devices.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Bluetooth implementations (Linux kernel bluez)
No auth needed
Prerequisites: Bluetooth-enabled device · Proximity to target device · Scapy library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 6 stars
by sgxgsx · poc
https://github.com/sgxgsx/blueborne-CVE-2017-1000251

This repository contains a functional proof-of-concept exploit for CVE-2017-1000251, a Bluetooth stack buffer overflow in Linux Kernel versions before 4.13.1. The exploit sends crafted L2CAP packets to trigger a DoS (crash) and includes shellcode to print a character in the kernel log.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel < 4.13.1
No auth needed
Prerequisites: Bluetooth-enabled Linux system with vulnerable kernel · Physical or logical proximity to target device
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by own2pwn · poc
https://github.com/own2pwn/blueborne-CVE-2017-1000251-POC

This repository contains a functional Proof of Concept (PoC) for CVE-2017-1000251, a Bluetooth vulnerability affecting Linux kernels. The exploit leverages malformed L2CAP packets to trigger a heap overflow, demonstrating the vulnerability without a payload.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (Bluetooth stack)
No auth needed
Prerequisites: Bluetooth-enabled target device · Proximity to the target for Bluetooth communication
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by neville133 · poc
https://gitlab.com/neville133/blueborne-CVE-2017-1000251

This repository contains a functional exploit for CVE-2017-1000251, a BlueBorne vulnerability affecting Linux kernel Bluetooth implementations. The exploit demonstrates remote code execution (RCE) by leveraging a stack-based buffer overflow in the Bluetooth stack.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (Bluetooth stack)
No auth needed
Prerequisites: Bluetooth-enabled Linux system · Proximity to target device
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by istanescu · poc
https://github.com/istanescu/CVE-2017-1000251_Exploit

This repository contains a functional exploit for CVE-2017-1000251, targeting the BlueBorne vulnerability in Bluetooth L2CAP implementations. The exploit leverages a stack-based buffer overflow to achieve remote code execution (RCE) on vulnerable devices, specifically tested against an Amazon Echo (1st Generation) and a TomTom MFD 1ME09 device.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel v2.6.37 (Amazon Echo 1st Generation), TomTom MFD 1ME09
No auth needed
Prerequisites: Bluetooth connectivity to the target device · Target device must be unpatched and vulnerable to CVE-2017-1000251
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by tlatkdgus1 · poc
https://github.com/tlatkdgus1/blueborne-CVE-2017-1000251

This repository contains a functional exploit for CVE-2017-1000251, a BlueBorne vulnerability affecting Linux kernel Bluetooth implementations. The exploit uses Scapy to craft malicious L2CAP packets to trigger a heap overflow, potentially leading to remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel Bluetooth stack (versions prior to fix)
No auth needed
Prerequisites: Bluetooth connectivity to target device · Target device with vulnerable Linux kernel
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (21)

Core 21
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2732
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42762/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2705
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2683
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2704
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2682
Third Party Advisory x_refsource_confirm
https://access.redhat.com/security/vulnerabilities/blueborne
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039373
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2731
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3981
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2706
Third Party Advisory x_refsource_confirm
http://nvidia.custhelp.com/app/answers/detail/a_id/4561
Patch, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/100809
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/240311
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2681
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2679
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2680
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2707
Third Party Advisory x_refsource_misc
https://www.armis.com/blueborne

Scores

CVSS v3 8.0
EPSS 0.1618
EPSS Percentile 96.5%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-787
Status published
Products (35)
debian/debian_linux 8.0
debian/debian_linux 9.0
linux/linux_kernel 2.6.32 - 3.2.94
nvidia/jetson_tk1 r21
nvidia/jetson_tk1 r24
nvidia/jetson_tx1 r21
nvidia/jetson_tx1 r24
redhat/enterprise_linux_desktop 6.0
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_server 6.0
... and 25 more
Published Sep 12, 2017
Tracked Since Feb 18, 2026