Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click Attacks

Bluetooth vulnerabilities that a Google security researcher has identified in the Linux kernel could be exploited to run arbitrary code or access sensitive information.

Bluetooth vulnerabilities that a Google security researcher has identified in the Linux kernel could be exploited to run arbitrary code or access sensitive information.

Referred to as BleedingTooth, the issues were identified by Andy Nguyen, a security engineer from Google, and are tracked as CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490. They were introduced in 2016, 2012, and 2018, respectively.

The most severe of these flaws is CVE-2020-12351, a heap-based type confusion that affects Linux kernel 4.8 and higher. The issue features a high severity rating (CVSS score of 8.3).

The bug can be exploited by a remote attacker within Bluetooth range of the victim and which knows the bd address of the target device. To trigger the flaw, the attacker would have to send a malicious l2cap packet, which can lead to denial of service or even execution of arbitrary code, with kernel privileges.

An attacker looking to trigger the vulnerability can also use a malicious Bluetooth chip for that. Proof-of-concept code for an exploit can be found on GitHub.

The bug, Nguyen explains, does not require user interaction to be exploited (it is a zero-click vulnerability). A video demonstrating the issue is embedded below.

The second issue, CVE-2020-12352, is a stack-based information leak that impacts Linux kernel 3.6 and higher. The bug is considered medium severity (CVSS score of 5.3).

“A remote attacker in short distance knowing the victim’s bd address can retrieve kernel stack information containing various pointers that can be used to predict the memory layout and to defeat KASLR. The leak may contain other valuable information such as the encryption keys,” Google’s researchers explain.

Tracked as CVE-2020-24490 and considered medium risk (CVSS score of 5.3), the third vulnerability is a heap-based buffer overflow that affects Linux kernel 4.19 and higher.

A remote attacker within short range of a vulnerable device can trigger the flaw through broadcasting extended advertising data. This could lead to denial of service or even arbitrary code execution with kernel privileges.

Only devices that feature Bluetooth 5 chips and which are in scanning mode are vulnerable to this flaw, but an attacker could also use malicious chips to trigger the vulnerability, Google’s researchers note.

PoC code for both medium-severity flaws has been published on GitHub.

BlueZ, the official Linux Bluetooth protocol stack, has announced Linux kernel fixes that patch all three of these security issues, Intel reveals. The company notes that the vulnerabilities affect “all Linux kernel versions before 5.9 that support BlueZ.”

The tech giant recommends updating Linux kernel to version 5.9 or later. Provided that an update is not possible, several kernel fixes are available to address the issues.

Related: BLURtooth Vulnerability Can Allow Bluetooth MITM Attacks

Related: Critical Bluetooth Vulnerability Exposes Android Devices to Attacks

Related: Bluetooth Vulnerability Allows Attackers to Impersonate Previously Paired Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet