Medium severity6.5NVD Advisory· Published Nov 29, 2021· Updated Apr 15, 2026
CVE-2019-8921
CVE-2019-8921
Description
An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the same.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
33- osv-coords29 versionspkg:rpm/suse/bluez&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/bluez&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/bluez&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5pkg:rpm/suse/bluez&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/bluez&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/bluez&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/bluez&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/bluez&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 5.48-150000.5.41.1+ 28 more
- (no CPE)range: < 5.48-150000.5.41.1
- (no CPE)range: < 5.48-150200.13.17.1
- (no CPE)range: < 5.48-150000.5.41.1
- (no CPE)range: < 5.48-150000.5.41.1
- (no CPE)range: < 5.48-150200.13.17.1
- (no CPE)range: < 5.48-150200.13.17.1
- (no CPE)range: < 5.48-150000.5.41.1
- (no CPE)range: < 5.48-150000.5.41.1
- (no CPE)range: < 5.13-5.31.1
- (no CPE)range: < 5.13-5.31.1
- (no CPE)range: < 5.13-5.31.1
- (no CPE)range: < 5.13-5.31.1
- (no CPE)range: < 5.48-150000.5.41.1
- (no CPE)range: < 5.48-150000.5.41.1
- (no CPE)range: < 5.48-150200.13.17.1
- (no CPE)range: < 5.48-150200.13.17.1
- (no CPE)range: < 5.48-150000.5.41.1
- (no CPE)range: < 5.13-5.31.1
- (no CPE)range: < 5.13-5.31.1
- (no CPE)range: < 5.48-150000.5.41.1
- (no CPE)range: < 5.48-150000.5.41.1
- (no CPE)range: < 5.48-150200.13.17.1
- (no CPE)range: < 5.13-5.31.1
- (no CPE)range: < 5.13-5.31.1
- (no CPE)range: < 5.48-150200.13.17.1
- (no CPE)range: < 5.48-150200.13.17.1
- (no CPE)range: < 5.48-150200.13.17.1
- (no CPE)range: < 5.13-5.31.1
- (no CPE)range: < 5.13-5.31.1
Patches
Vulnerability mechanics
References
3- ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow/nvdExploitPatchThird Party Advisory
- lists.debian.org/debian-lts-announce/2022/10/msg00026.htmlnvdMailing ListThird Party Advisory
- security.netapp.com/advisory/ntap-20211203-0002/nvdThird Party Advisory
News mentions
0No linked articles in our index yet.