CVE-2021-28139 Information

Description

The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload.

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/espressif/esp32-bt-lib https://dl.packetstormsecurity.net/papers/general/braktooth.pdf https://www.espressif.com/en/products/socs/esp32 https://github.com/espressif/esp-idf

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8