{"api_version":"1","generated_at":"2026-04-23T05:15:39+00:00","cve":"CVE-2021-28139","urls":{"html":"https://cve.report/CVE-2021-28139","api":"https://cve.report/api/cve/CVE-2021-28139.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-28139","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-28139"},"summary":{"title":"CVE-2021-28139","description":"The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-09-07 07:15:00","updated_at":"2021-09-09 23:30:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://dl.packetstormsecurity.net/papers/general/braktooth.pdf","name":"https://dl.packetstormsecurity.net/papers/general/braktooth.pdf","refsource":"MISC","tags":[],"title":"","mime":"application/pdf","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/espressif/esp-idf","name":"https://github.com/espressif/esp-idf","refsource":"MISC","tags":[],"title":"GitHub - espressif/esp-idf: Espressif IoT Development Framework. Official development framework for ESP32.","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.espressif.com/en/products/socs/esp32","name":"https://www.espressif.com/en/products/socs/esp32","refsource":"MISC","tags":[],"title":"ESP32 Wi-Fi & Bluetooth MCU I Espressif Systems","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/espressif/esp32-bt-lib","name":"https://github.com/espressif/esp32-bt-lib","refsource":"MISC","tags":[],"title":"GitHub - espressif/esp32-bt-lib: ESP32 Bluetooth stack (below HCI layer) precompiled libraries","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-28139","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28139","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"28139","vulnerable":"1","versionEndIncluding":"4.4","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"espressif","cpe5":"esp-idf","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28139","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"espressif","cpe5":"esp32","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-28139","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/espressif/esp-idf","refsource":"MISC","name":"https://github.com/espressif/esp-idf"},{"url":"https://github.com/espressif/esp32-bt-lib","refsource":"MISC","name":"https://github.com/espressif/esp32-bt-lib"},{"url":"https://www.espressif.com/en/products/socs/esp32","refsource":"MISC","name":"https://www.espressif.com/en/products/socs/esp32"},{"refsource":"MISC","name":"https://dl.packetstormsecurity.net/papers/general/braktooth.pdf","url":"https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"}]}},"nvd":{"publishedDate":"2021-09-07 07:15:00","lastModifiedDate":"2021-09-09 23:30:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:A/AC:L/Au:N/C:C/I:C/A:C","accessVector":"ADJACENT_NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":8.3},"severity":"HIGH","exploitabilityScore":6.5,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*","versionEndIncluding":"4.4","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"28139","Ordinal":"203287","Title":"CVE-2021-28139","CVE":"CVE-2021-28139","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"28139","Ordinal":"1","NoteData":"The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"28139","Ordinal":"2","NoteData":"2021-09-07","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"28139","Ordinal":"3","NoteData":"2021-09-07","Type":"Other","Title":"Modified"}]}}}