CVE-2021-3658

MEDIUM

bluez < 5.61 - Incorrect Authorization via Discoverable Status Persistence

Title source: llm

Description

bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers.

References (6)

Core 6

Core References

Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://gitlab.gnome.org/GNOME/gnome-bluetooth/-/issues/89

Patch, Third Party Advisory x_refsource_misc

https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=b497b5942a8beb8f89ca1c359c54ad67ec843055

Patch, Third Party Advisory x_refsource_misc

https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055

Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=1984728

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20220407-0002/

Mailing List

https://lists.debian.org/debian-lts-announce/2024/09/msg00022.html

Scores

CVSS v3 6.5

EPSS 0.0007

EPSS Percentile 22.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (3)

None/bluez Fixedin - 5.61 and above.

bluez/bluez < 5.61

fedoraproject/fedora 34

Published Mar 02, 2022

Tracked Since Feb 18, 2026