Skip to main content
CVE Vulnerability Database

CVE-2022-0204: Bluez Heap Overflow DoS Vulnerability

CVE-2022-0204 is a heap overflow denial of service vulnerability in Bluez that allows attackers with local network access to crash applications. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2022-0204 Overview

A heap overflow vulnerability was discovered in BlueZ, the official Linux Bluetooth protocol stack, affecting versions prior to 5.63. This memory corruption flaw allows an attacker with local network access (adjacent network) to pass specially crafted files that can cause application crashes or denial of service conditions. The vulnerability stems from improper bounds checking when handling GATT (Generic Attribute Profile) prepare write operations.

Critical Impact

Adjacent network attackers can exploit this heap overflow to achieve high impact on confidentiality, integrity, and availability of affected systems running BlueZ Bluetooth services.

Affected Products

  • BlueZ versions prior to 5.63
  • Fedora 35
  • Debian Linux 10.0

Discovery Timeline

  • 2022-03-10 - CVE-2022-0204 published to NVD
  • 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2022-0204

Vulnerability Analysis

This vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-190 (Integer Overflow or Wraparound). The flaw exists in the GATT server implementation within BlueZ, specifically in how the software handles prepare write operations. When processing attribute write requests, the code fails to properly validate the combination of length and offset parameters before appending data to buffers, creating conditions where heap memory can be overwritten beyond allocated boundaries.

The adjacent network attack vector means an attacker must be within Bluetooth range or on the same local network segment to exploit this vulnerability. No authentication or user interaction is required, making exploitation straightforward for attackers with proximity access.

Root Cause

The root cause lies in the src/shared/gatt-server.c file where the GATT server processes write requests. The code did not implement adequate bounds checking when combining the length and offset parameters of prepare write operations. When these values are not properly validated against BT_ATT_MAX_VALUE_LEN, the resulting operation can exceed the allocated buffer size, causing a heap overflow condition.

Attack Vector

An attacker positioned on an adjacent network (within Bluetooth range) can send specially crafted GATT prepare write requests with manipulated length and offset values. By setting these parameters to values that, when combined, exceed BT_ATT_MAX_VALUE_LEN, the attacker can trigger a heap overflow. This can lead to:

  1. Application crashes and denial of service
  2. Potential memory corruption affecting other heap-allocated data
  3. System instability in Bluetooth-dependent services
c
// Security patch from src/shared/gatt-server.c
// Source: https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0

 				server->authorize_data);
 }
 
+static uint8_t check_length(uint16_t length, uint16_t offset)
+{
+	if (length > BT_ATT_MAX_VALUE_LEN)
+		return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
+
+	if (offset > BT_ATT_MAX_VALUE_LEN)
+		return BT_ATT_ERROR_INVALID_OFFSET;
+
+	if (length + offset > BT_ATT_MAX_VALUE_LEN)
+		return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
+
+	return 0;
+}
+
 static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
				uint16_t length, void *user_data)
 {

The patch introduces a new check_length() function that validates both individual parameters and their sum against BT_ATT_MAX_VALUE_LEN, returning appropriate ATT error codes when bounds are exceeded.

Detection Methods for CVE-2022-0204

Indicators of Compromise

  • Unexpected crashes or restarts of the bluetoothd daemon
  • Segmentation fault errors in system logs related to BlueZ services
  • Unusual Bluetooth connection attempts from unknown devices
  • Memory-related errors in /var/log/syslog or journalctl output for Bluetooth services

Detection Strategies

  • Monitor for abnormal Bluetooth ATT (Attribute Protocol) traffic patterns, particularly prepare write requests with unusual length/offset combinations
  • Deploy endpoint detection solutions to identify heap corruption attempts in BlueZ processes
  • Implement runtime memory protection tools such as AddressSanitizer (ASan) in development/testing environments
  • Use SentinelOne Singularity to detect memory exploitation attempts and anomalous process behavior

Monitoring Recommendations

  • Enable verbose logging for BlueZ services using bluetoothd -d for debugging
  • Monitor system resource usage for bluetoothd process to detect memory anomalies
  • Configure alerting for repeated Bluetooth service failures or restarts
  • Review Bluetooth pairing and connection logs for suspicious activity from nearby devices

How to Mitigate CVE-2022-0204

Immediate Actions Required

  • Upgrade BlueZ to version 5.63 or later immediately
  • If upgrade is not possible, consider disabling Bluetooth services on critical systems temporarily
  • Restrict physical proximity access to systems with Bluetooth enabled
  • Apply vendor-specific patches from Fedora, Debian, or Gentoo repositories

Patch Information

The official fix is available in BlueZ version 5.63 and later. The security patch (commit 591c546c536b42bef696d027f64aa22434f8c3f0) adds proper bounds checking in the GATT server implementation. Additional resources include:

Workarounds

  • Disable Bluetooth services on systems where they are not essential using systemctl disable bluetooth
  • Implement network segmentation to limit adjacent network attack surface
  • Use Bluetooth adapter hardware controls to disable radio when not in use
  • Apply host-based firewall rules to restrict Bluetooth-related network traffic
bash
# Disable BlueZ Bluetooth service temporarily
sudo systemctl stop bluetooth
sudo systemctl disable bluetooth

# Check BlueZ version to verify if vulnerable
bluetoothd --version

# Update BlueZ on Debian-based systems
sudo apt update && sudo apt upgrade bluez

# Update BlueZ on Fedora
sudo dnf update bluez

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.