CVE-2019-14620

Vulnerability

A flaw in the control flow management of Intel(R) Wireless Bluetooth(R) products (including Intel Dual Band Wireless-AC 8265, Wireless-AC 9260, Wireless-AC 9560, and Wireless-AC 9462) [1] may allow denial of service. The vulnerability is present in the Bluetooth stack's handling of certain connection management frames. Affected driver versions include those before 21.20.0.4 for Windows and before 4.0 for Linux [1].

Exploitation

An attacker positioned within Bluetooth range (adjacent network access) can send crafted Bluetooth packets to trigger an invalid internal state in the target device's Bluetooth controller. No authentication or user interaction is required, as the vulnerable code path is reachable when the device has Bluetooth enabled and is in discoverable or connectable mode [1].

Impact

Successful exploitation causes a denial of service, rendering the Bluetooth subsystem unresponsive or crashing the Bluetooth driver. This prevents the device from using Bluetooth functionality until the driver is reloaded or the system is rebooted. There is no indication of information disclosure or code execution [1].

Mitigation

Intel released driver updates to address this vulnerability: version 21.20.0.4 or later for Windows, and version 4.0 or later for Linux, dated December 2019 [1]. Users should update their Bluetooth drivers from their system manufacturer or Intel's support site. No workarounds are provided by Intel beyond disabling Bluetooth if the update cannot be applied immediately [1].