{"api_version":"1","generated_at":"2026-04-23T04:11:58+00:00","cve":"CVE-2022-39176","urls":{"html":"https://cve.report/CVE-2022-39176","api":"https://cve.report/api/cve/CVE-2022-39176.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-39176","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-39176"},"summary":{"title":"CVE-2022-39176","description":"BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.","state":"PUBLISHED","assigner":"mitre","published_at":"2022-09-02 04:15:11","updated_at":"2026-04-15 21:17:03"},"problem_types":["NVD-CWE-noinfo","n/a","CWE-noinfo Not enough information"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"ADP","type":"DECLARED","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://ubuntu.com/security/notices/USN-5481-1","name":"https://ubuntu.com/security/notices/USN-5481-1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Third Party Advisory"],"title":"USN-5481-1: BlueZ vulnerabilities | Ubuntu security notices | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html","name":"https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 3157-1] bluez security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00022.html","name":"https://lists.debian.org/debian-lts-announce/2024/09/msg00022.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.netapp.com/advisory/ntap-20221020-0002/","name":"https://security.netapp.com/advisory/ntap-20221020-0002/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"September 2022 BlueZ Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968","name":"https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"Bug #1977968 “Security update tracking bug” : Bugs : bluez package : Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-39176","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39176","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"39176","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"bluez","cpe5":"bluez","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39176","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39176","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"20.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"39176","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2022","cve_id":"39176","cve":"CVE-2022-39176","epss":"0.001180000","percentile":"0.306980000","score_date":"2026-04-15","updated_at":"2026-04-16 00:13:55"},"legacy_qids":[{"cve":"CVE-2022-39176","qid":"181160","title":"Debian Security Update for bluez (DLA 3157-1)"},{"cve":"CVE-2022-39176","qid":"181887","title":"Debian Security Update for bluez (CVE-2022-39176)"},{"cve":"CVE-2022-39176","qid":"354128","title":"Amazon Linux Security Advisory for bluez : ALAS2-2022-1881"},{"cve":"CVE-2022-39176","qid":"672771","title":"EulerOS Security Update for bluez (EulerOS-SA-2023-1491)"},{"cve":"CVE-2022-39176","qid":"753571","title":"SUSE Enterprise Linux Security Update for bluez (SUSE-SU-2023:0168-1)"},{"cve":"CVE-2022-39176","qid":"753574","title":"SUSE Enterprise Linux Security Update for bluez (SUSE-SU-2023:0166-1)"},{"cve":"CVE-2022-39176","qid":"753578","title":"SUSE Enterprise Linux Security Update for bluez (SUSE-SU-2023:0155-1)"},{"cve":"CVE-2022-39176","qid":"753579","title":"SUSE Enterprise Linux Security Update for bluez (SUSE-SU-2023:0156-1)"}]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2025-11-04T16:09:51.043Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://ubuntu.com/security/notices/USN-5481-1"},{"tags":["x_transferred"],"url":"https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968"},{"tags":["x_transferred"],"url":"https://security.netapp.com/advisory/ntap-20221020-0002/"},{"name":"[debian-lts-announce] 20221024 [SECURITY] [DLA 3157-1] bluez security update","tags":["mailing-list","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00022.html"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2022-39176","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2025-06-13T18:52:42.802885Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"description":"CWE-noinfo Not enough information","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-15T21:07:28.126Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"descriptions":[{"lang":"en","value":"BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2022-10-24T00:00:00.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"url":"https://ubuntu.com/security/notices/USN-5481-1"},{"url":"https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968"},{"url":"https://security.netapp.com/advisory/ntap-20221020-0002/"},{"name":"[debian-lts-announce] 20221024 [SECURITY] [DLA 3157-1] bluez security update","tags":["mailing-list"],"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html"}]}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2022-39176","datePublished":"2022-09-02T00:00:00.000Z","dateReserved":"2022-09-02T00:00:00.000Z","dateUpdated":"2026-04-15T21:07:28.126Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2022-09-02 04:15:11","lastModifiedDate":"2026-04-15 21:17:03","problem_types":["NVD-CWE-noinfo","n/a","CWE-noinfo Not enough information"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:bluez:bluez:*:*:*:*:*:*:*:*","versionEndExcluding":"5.59","matchCriteriaId":"8207A8CC-FF6D-44A1-B3A1-197B3568161F"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","matchCriteriaId":"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D"},{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*","matchCriteriaId":"902B8056-9E37-443B-8905-8AA93E2447FB"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"39176","Ordinal":"1","Title":"CVE-2022-39176","CVE":"CVE-2022-39176","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"39176","Ordinal":"1","NoteData":"BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.","Type":"Description","Title":"CVE-2022-39176"}]}}}