CVE-2020-10370

Vulnerability

Overview CVE-2020-10370 affects certain Cypress (now part of Broadcom) Wireless Combo chips such as the CYW43455. The issue belongs to the "Spectra" class of vulnerabilities, which exploit the spectrum-coordination mechanisms (coexistence) between Bluetooth and Wi-Fi when they share the same frequency bands (e.g., 2.4 GHz). As documented by researchers from TU Darmstadt and Università degli Studi di Brescia, these mechanisms allow an attacker who can execute code on the Bluetooth chip to impact the Wi-Fi chip and other wireless operations [1]. The specific flaw here causes a denial of service (Bluetooth outage) and is only mitigated by a Bluetooth firmware update made available on 2021-01-26 [1][2].

Exploitation

An attacker must first gain the ability to execute arbitrary code on the Bluetooth co-processor. Once that foothold is established, the attacker can abuse the hardware-level coexistence signaling between the Bluetooth and Wi-Fi domains to escalate their control or disrupt operations. No additional authentication is required beyond the initial Bluetooth compromise. The attack surface is broad because the same hardware is used in modern iPhones, MacBooks, Samsung smartphones, and Raspberry Pi devices [1]. The exploit does not require physical proximity beyond normal Bluetooth range, but does require that the victim device have the affected combo chipset.

Impact

Successful exploitation allows an attacker to induce a Bluetooth outage, preventing the device from using Bluetooth services. More broadly, the Spectra class enables crossing chip boundaries, meaning a Bluetooth compromise can lead to Wi-Fi compromise and vice versa [1]. For CVE-2020-10370 specifically, the advertised impact is a denial-of-service condition affecting Bluetooth availability [1][2]. The vulnerability is rated High with a CVSS v3 score of 8.8, reflecting low attack complexity and high impact on availability.

Mitigation

The fix for CVE-2020-10370 is a Bluetooth firmware update (e.g., the one committed to the RPi-Distro bluez-firmware repository) available since January 2021 [1][2]. However, coordination of this firmware update has been protracted; a 2022 Red Hat bug report noted the patch was not yet integrated into upstream linux-firmware, and the issue was closed as NOTABUG because the firmware distribution model varies by vendor and chip provider [3]. Users should ensure their device vendor provides an updated Bluetooth firmware that includes the Spectra patches for the specific Cypress/Broadcom chip model. The vulnerability was publicly disclosed alongside related CVEs (CVE-2020-10367, CVE-2020-10368, CVE-2020-10369) [3].