CVE-2019-9506

HIGH

Android - Bluetooth BR/EDR Encryption Key Length Downgrade via KNOB Attack

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-9506. PoCs published by francozappa, coffeeesd.

AI-analyzed exploit summary This repository contains a proof-of-concept for the KNOB attack (CVE-2019-9506), which exploits a vulnerability in Bluetooth BR/EDR and BLE key negotiation to downgrade encryption entropy. It includes tools for brute-forcing E0 encryption keys and a patched Linux kernel for testing BLE vulnerabilities.

Description

The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.

Exploits (2)

nomisec WORKING POC 187 stars
by francozappa · poc
https://github.com/francozappa/knob

This repository contains a proof-of-concept for the KNOB attack (CVE-2019-9506), which exploits a vulnerability in Bluetooth BR/EDR and BLE key negotiation to downgrade encryption entropy. It includes tools for brute-forcing E0 encryption keys and a patched Linux kernel for testing BLE vulnerabilities.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Complex
Reliability
Reliable
Target: Bluetooth BR/EDR and BLE implementations
No auth needed
Prerequisites: Proximity to target Bluetooth device · Custom Linux kernel patch for BLE testing
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by coffeeesd · poc
https://github.com/coffeeesd/knob

This repository contains Python scripts for simulating and analyzing the power distribution and mechanical dynamics of a tram system. It includes calculations for resistance, voltage, current, and power, but does not contain any exploit code or offensive techniques.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: N/A
No auth needed
Prerequisites: Python environment with numpy and matplotlib
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (30)

Core 30
Core References
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/918987/
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Aug/14
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Aug/11
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Aug/13
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Aug/15
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4115-1/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4118-1/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/09/msg00014.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/09/msg00015.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4147-1/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2975
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00037.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00036.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3076
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3055
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3089
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3187
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3165
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3217
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3220
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3231
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3218
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3309
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3517
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0204

Scores

CVSS v3 8.1
EPSS 0.0269
EPSS Percentile 83.9%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-310 CWE-327
Status published
Products (50)
apple/iphone_os 12.4
apple/mac_os_x 10.12.6
apple/mac_os_x 10.13.6
apple/mac_os_x 10.14.5
apple/tvos 12.4
apple/watchos 5.3
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 19.04
debian/debian_linux 8.0
... and 40 more
Published Aug 14, 2019
Tracked Since Feb 18, 2026