Vulnerability Description
BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bluez | Bluez | 5.58 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xqExploitThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/11/msg00022.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/10/msg00026.htmlMailing ListThird Party Advisory
- https://security.netapp.com/advisory/ntap-20211203-0004/Third Party Advisory
- https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xqExploitThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/11/msg00022.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/10/msg00026.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2024/09/msg00022.html
- https://security.netapp.com/advisory/ntap-20211203-0004/Third Party Advisory
FAQ
What is CVE-2021-41229?
CVE-2021-41229 is a vulnerability with a CVSS score of 4.3 (MEDIUM). BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates...
How severe is CVE-2021-41229?
CVE-2021-41229 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-41229?
Check the references section above for vendor advisories and patch information. Affected products include: Bluez Bluez, Debian Debian Linux.