{"api_version":"1","generated_at":"2026-04-23T04:10:08+00:00","cve":"CVE-2019-8922","urls":{"html":"https://cve.report/CVE-2019-8922","api":"https://cve.report/api/cve/CVE-2019-8922.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-8922","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-8922"},"summary":{"title":"CVE-2019-8922","description":"A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on whether there is enough space in the destination buffer. The function simply appends all data passed to it. The values of all attributes that are requested are appended to the output buffer. There are no size checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is large enough to overflow the preallocated buffer. This issue exists in service_attr_req gets called by process_request (in sdpd-request.c), which also allocates the response buffer.","state":"PUBLISHED","assigner":"mitre","published_at":"2021-11-29 08:15:07","updated_at":"2026-04-15 21:17:02"},"problem_types":["CWE-787","n/a","CWE-787 CWE-787 Out-of-bounds Write"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"ADP","type":"DECLARED","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"5.8","severity":"","vector":"AV:A/AC:L/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:A/AC:L/Au:N/C:P/I:P/A:P","baseScore":5.8,"accessVector":"ADJACENT_NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow/","name":"https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"],"title":"SSD Advisory – Linux BlueZ Information Leak and Heap Overflow - SSD Secure Disclosure","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html","name":"https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 3157-1] bluez security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20211203-0002/","name":"https://security.netapp.com/advisory/ntap-20211203-0002/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"November 2021 BlueZ Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-8922","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-8922","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"8922","vulnerable":"1","versionEndIncluding":"5.48","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"bluez","cpe5":"bluez","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"8922","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"8922","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2019","cve_id":"8922","cve":"CVE-2019-8922","epss":"0.000550000","percentile":"0.171870000","score_date":"2026-04-15","updated_at":"2026-04-16 00:13:55"},"legacy_qids":[{"cve":"CVE-2019-8922","qid":"178914","title":"Debian Security Update for bluez (DLA 2827-1)"},{"cve":"CVE-2019-8922","qid":"181160","title":"Debian Security Update for bluez (DLA 3157-1)"},{"cve":"CVE-2019-8922","qid":"198597","title":"Ubuntu Security Notification for BlueZ Vulnerability (USN-5183-1)"},{"cve":"CVE-2019-8922","qid":"356420","title":"Amazon Linux Security Advisory for bluez : ALAS2-2023-2309"},{"cve":"CVE-2019-8922","qid":"671338","title":"EulerOS Security Update for bluez (EulerOS-SA-2022-1263)"},{"cve":"CVE-2019-8922","qid":"671361","title":"EulerOS Security Update for bluez (EulerOS-SA-2022-1286)"},{"cve":"CVE-2019-8922","qid":"671379","title":"EulerOS Security Update for bluez (EulerOS-SA-2022-1302)"},{"cve":"CVE-2019-8922","qid":"671653","title":"EulerOS Security Update for bluez (EulerOS-SA-2022-1707)"},{"cve":"CVE-2019-8922","qid":"752494","title":"SUSE Enterprise Linux Security Update for bluez (SUSE-SU-2022:2864-1)"},{"cve":"CVE-2019-8922","qid":"752508","title":"SUSE Enterprise Linux Security Update for bluez (SUSE-SU-2022:2900-1)"},{"cve":"CVE-2019-8922","qid":"752524","title":"SUSE Enterprise Linux Security Update for bluez (SUSE-SU-2022:2948-1)"},{"cve":"CVE-2019-8922","qid":"752696","title":"SUSE Enterprise Linux Security Update for bluez (SUSE-SU-2022:3691-1)"},{"cve":"CVE-2019-8922","qid":"752697","title":"SUSE Enterprise Linux Security Update for bluez (SUSE-SU-2022:3687-1)"}]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-04T21:31:37.498Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow/"},{"tags":["x_transferred"],"url":"https://security.netapp.com/advisory/ntap-20211203-0002/"},{"name":"[debian-lts-announce] 20221024 [SECURITY] [DLA 3157-1] bluez security update","tags":["mailing-list","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2019-8922","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-04-15T21:06:02.932959Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-787","description":"CWE-787 Out-of-bounds Write","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-15T21:06:09.734Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"descriptions":[{"lang":"en","value":"A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on whether there is enough space in the destination buffer. The function simply appends all data passed to it. The values of all attributes that are requested are appended to the output buffer. There are no size checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is large enough to overflow the preallocated buffer. This issue exists in service_attr_req gets called by process_request (in sdpd-request.c), which also allocates the response buffer."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2022-10-24T00:00:00.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"url":"https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow/"},{"url":"https://security.netapp.com/advisory/ntap-20211203-0002/"},{"name":"[debian-lts-announce] 20221024 [SECURITY] [DLA 3157-1] bluez security update","tags":["mailing-list"],"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html"}]}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2019-8922","datePublished":"2021-11-29T00:00:00.000Z","dateReserved":"2019-02-18T00:00:00.000Z","dateUpdated":"2026-04-15T21:06:09.734Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2021-11-29 08:15:07","lastModifiedDate":"2026-04-15 21:17:02","problem_types":["CWE-787","n/a","CWE-787 CWE-787 Out-of-bounds Write"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:A/AC:L/Au:N/C:P/I:P/A:P","baseScore":5.8,"accessVector":"ADJACENT_NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":6.5,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:bluez:bluez:*:*:*:*:*:*:*:*","versionEndIncluding":"5.48","matchCriteriaId":"B46FC6F0-636B-46F4-815C-61DC2A543CBB"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"8922","Ordinal":"1","Title":"CVE-2019-8922","CVE":"CVE-2019-8922","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"8922","Ordinal":"1","NoteData":"A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on whether there is enough space in the destination buffer. The function simply appends all data passed to it. The values of all attributes that are requested are appended to the output buffer. There are no size checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is large enough to overflow the preallocated buffer. This issue exists in service_attr_req gets called by process_request (in sdpd-request.c), which also allocates the response buffer.","Type":"Description","Title":"CVE-2019-8922"},{"CveYear":"2019","CveId":"8922","Ordinal":"2","NoteData":"2021-11-29","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"8922","Ordinal":"3","NoteData":"2021-12-03","Type":"Other","Title":"Modified"}]}}}