Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2022-39176

Published: 2 September 2022

BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.

Notes

AuthorNote
rodrigo-zaiden 
this and CVE-2022-39177 tracked in same LP bug

Priority

Medium

Cvss 3 Severity Score

8.8

Score breakdown

Status

Package Release Status
bluez
Launchpad, Ubuntu, Debian 		bionic
Released (5.48-0ubuntu3.9)
focal
Released (5.53-0ubuntu3.6)
jammy Not vulnerable
(5.64-0ubuntu1)
kinetic Not vulnerable
(5.65-0ubuntu1)
lunar Not vulnerable
(5.65-0ubuntu1)
mantic Not vulnerable
(5.65-0ubuntu1)
trusty Ignored
(end of standard support)
upstream
Released (5.61-1)
xenial Needed

Patches:
upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b
upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7a80d2096f1b7125085e21448112aa02f49f5e9a
upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=0388794dc5fdb73a4ea88bcf148de0a12b4364d4

Severity score breakdown

Parameter Value
Base score 8.8
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading