{"api_version":"1","generated_at":"2026-04-23T05:15:39+00:00","cve":"CVE-2021-28136","urls":{"html":"https://cve.report/CVE-2021-28136","api":"https://cve.report/api/cve/CVE-2021-28136.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-28136","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-28136"},"summary":{"title":"CVE-2021-28136","description":"The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-09-07 06:15:00","updated_at":"2021-09-09 23:32:00"},"problem_types":["CWE-787"],"metrics":[],"references":[{"url":"https://dl.packetstormsecurity.net/papers/general/braktooth.pdf","name":"https://dl.packetstormsecurity.net/papers/general/braktooth.pdf","refsource":"MISC","tags":[],"title":"","mime":"application/pdf","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/espressif/esp-idf","name":"https://github.com/espressif/esp-idf","refsource":"MISC","tags":[],"title":"GitHub - espressif/esp-idf: Espressif IoT Development Framework. Official development framework for ESP32.","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.espressif.com/en/products/socs/esp32","name":"https://www.espressif.com/en/products/socs/esp32","refsource":"MISC","tags":[],"title":"ESP32 Wi-Fi & Bluetooth MCU I Espressif Systems","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/espressif/esp32-bt-lib","name":"https://github.com/espressif/esp32-bt-lib","refsource":"MISC","tags":[],"title":"GitHub - espressif/esp32-bt-lib: ESP32 Bluetooth stack (below HCI layer) precompiled libraries","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-28136","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28136","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"28136","vulnerable":"1","versionEndIncluding":"4.4","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"espressif","cpe5":"esp-idf","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28136","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"espressif","cpe5":"esp32","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-28136","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/espressif/esp-idf","refsource":"MISC","name":"https://github.com/espressif/esp-idf"},{"url":"https://github.com/espressif/esp32-bt-lib","refsource":"MISC","name":"https://github.com/espressif/esp32-bt-lib"},{"url":"https://www.espressif.com/en/products/socs/esp32","refsource":"MISC","name":"https://www.espressif.com/en/products/socs/esp32"},{"refsource":"MISC","name":"https://dl.packetstormsecurity.net/papers/general/braktooth.pdf","url":"https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"}]}},"nvd":{"publishedDate":"2021-09-07 06:15:00","lastModifiedDate":"2021-09-09 23:32:00","problem_types":["CWE-787"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:A/AC:L/Au:N/C:N/I:N/A:P","accessVector":"ADJACENT_NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":3.3},"severity":"LOW","exploitabilityScore":6.5,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*","versionEndIncluding":"4.4","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"28136","Ordinal":"203284","Title":"CVE-2021-28136","CVE":"CVE-2021-28136","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"28136","Ordinal":"1","NoteData":"The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"28136","Ordinal":"2","NoteData":"2021-09-07","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"28136","Ordinal":"3","NoteData":"2021-09-07","Type":"Other","Title":"Modified"}]}}}