Jump to content


Google researcher found BleedingTooth flaws in Linux Bluetooth

Recommended Posts

Andy Nguyen, a Google security researcher, has found Bluetooth vulnerabilities, referred to as BleedingTooth, in the Linux kernel that could be exploited by attackers to run arbitrary code or access sensitive information.

The BleedingTooth flaws are tracked as CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490.

The most severe of the vulnerabilities is a heap-based type confusion flaw (CVE-2020-12351) that has been rated as high severity and received a CVSS score of 8.3 out of 10.

A remote attacker within the Bluetooth range of the victim can exploit the flaw by knowing the bd address of the target device. The attacker can trigger the vulnerability by sending a malicious l2cap packet, which can lead to denial of service or even execution of arbitrary code, with kernel privileges.

According to the Google security researcher, the issue is a zero-click flaw that means that it does not require user interaction to be exploited.

Nguyen released a Proof-of-concept code for this vulnerability an exploit along with a video PoC demonstrating the issue.


The second issue found by the expert is a stack-based information leak that is tracked as CVE-2020-12352. The flaw impacts Linux kernel 3.6 and higher, it is classified as medium severity and received a CVSS score of 5.3.

“A remote attacker in short distance knowing the victim’s bd address can retrieve kernel stack information containing various pointers that can be used to predict the memory layout and to defeat KASLR. The leak may contain other valuable information such as the encryption keys,” reads the security advisory published by Google.

The third vulnerability tracked as CVE-2020-24490, is a heap-based buffer overflow that resides in net/bluetooth/hci_event.c. and affects Linux kernel 4.19 and higher.

The vulnerability is classified as medium risk and received a CVSS score of 5.3.
“A remote attacker in short distance can broadcast extended advertising data and cause denial of service or possibly arbitrary code execution with kernel privileges on victim machines if they are equipped with Bluetooth 5 chips and are in scanning mode. Malicious or vulnerable Bluetooth chips (e.g. compromised by BLEEDINGBIT or similar) can trigger the vulnerability as well.” reads the security advisory.


  • Thanks 1

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...