CVE-2020-12351

HIGH

Linux Kernel 4.7.7-4.9.239 - Unauthenticated Privilege Escalation via BlueZ Input Validation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-12351. PoCs published by naren-jayram.

AI-analyzed exploit summary This PoC exploits a heap-based type confusion vulnerability in the Linux L2CAP implementation (CVE-2020-12351) by sending a malicious L2CAP packet over a BLE connection. The exploit targets the BlueZ stack and demonstrates the vulnerability by triggering the type confusion via a crafted packet.

Description

Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

Exploits (2)

nomisec WORKING POC 2 stars

by naren-jayram · poc

https://github.com/naren-jayram/Linux-Heap-Based-Type-Confusion-in-L2CAP

View Code ZIP pw:eip

This PoC exploits a heap-based type confusion vulnerability in the Linux L2CAP implementation (CVE-2020-12351) by sending a malicious L2CAP packet over a BLE connection. The exploit targets the BlueZ stack and demonstrates the vulnerability by triggering the type confusion via a crafted packet.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Linux Kernel with BlueZ stack (versions affected by CVE-2020-12351)

No auth needed

Prerequisites: Linux machine with BLE adapter · Target device with vulnerable BlueZ stack · Physical proximity for Bluetooth communication

MITRE ATT&CK

T1499.004 - Application or System Exploitation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

cremotelinux

https://www.exploit-db.com/exploits/49754

View Code ZIP pw:eip

This is a functional exploit for CVE-2020-12351, demonstrating a zero-click RCE vulnerability in the Linux Kernel's Bluetooth stack (BleedingTooth). It leverages heap spraying and KASLR bypass to achieve remote code execution on vulnerable systems.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Linux Kernel 5.4.0-48-generic (Ubuntu)

No auth needed

Prerequisites: Bluetooth-enabled Linux system with vulnerable kernel · Physical proximity for Bluetooth communication

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html?wapkw=CVE-2020-12351

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/162131/Linux-Kernel-5.4-BleedingTooth-Remote-Code-Execution.html

Scores

CVSS v3 8.8

EPSS 0.0287

EPSS Percentile 86.6%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (3)

linux/linux_kernel 5.9.0 (7 CPE variants)

linux/linux_kernel 5.9.1

linux/linux_kernel 4.7.7 - 4.9.240

Published Nov 23, 2020

Tracked Since Feb 18, 2026