CVE-2022-0204 Overview
A heap overflow vulnerability was discovered in BlueZ, the official Linux Bluetooth protocol stack, affecting versions prior to 5.63. This memory corruption flaw allows an attacker with local network access (adjacent network) to pass specially crafted files that can cause application crashes or denial of service conditions. The vulnerability stems from improper bounds checking when handling GATT (Generic Attribute Profile) prepare write operations.
Critical Impact
Adjacent network attackers can exploit this heap overflow to achieve high impact on confidentiality, integrity, and availability of affected systems running BlueZ Bluetooth services.
Affected Products
- BlueZ versions prior to 5.63
- Fedora 35
- Debian Linux 10.0
Discovery Timeline
- 2022-03-10 - CVE-2022-0204 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2022-0204
Vulnerability Analysis
This vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-190 (Integer Overflow or Wraparound). The flaw exists in the GATT server implementation within BlueZ, specifically in how the software handles prepare write operations. When processing attribute write requests, the code fails to properly validate the combination of length and offset parameters before appending data to buffers, creating conditions where heap memory can be overwritten beyond allocated boundaries.
The adjacent network attack vector means an attacker must be within Bluetooth range or on the same local network segment to exploit this vulnerability. No authentication or user interaction is required, making exploitation straightforward for attackers with proximity access.
Root Cause
The root cause lies in the src/shared/gatt-server.c file where the GATT server processes write requests. The code did not implement adequate bounds checking when combining the length and offset parameters of prepare write operations. When these values are not properly validated against BT_ATT_MAX_VALUE_LEN, the resulting operation can exceed the allocated buffer size, causing a heap overflow condition.
Attack Vector
An attacker positioned on an adjacent network (within Bluetooth range) can send specially crafted GATT prepare write requests with manipulated length and offset values. By setting these parameters to values that, when combined, exceed BT_ATT_MAX_VALUE_LEN, the attacker can trigger a heap overflow. This can lead to:
- Application crashes and denial of service
- Potential memory corruption affecting other heap-allocated data
- System instability in Bluetooth-dependent services
// Security patch from src/shared/gatt-server.c
// Source: https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0
server->authorize_data);
}
+static uint8_t check_length(uint16_t length, uint16_t offset)
+{
+ if (length > BT_ATT_MAX_VALUE_LEN)
+ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
+
+ if (offset > BT_ATT_MAX_VALUE_LEN)
+ return BT_ATT_ERROR_INVALID_OFFSET;
+
+ if (length + offset > BT_ATT_MAX_VALUE_LEN)
+ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
+
+ return 0;
+}
+
static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
uint16_t length, void *user_data)
{
The patch introduces a new check_length() function that validates both individual parameters and their sum against BT_ATT_MAX_VALUE_LEN, returning appropriate ATT error codes when bounds are exceeded.
Detection Methods for CVE-2022-0204
Indicators of Compromise
- Unexpected crashes or restarts of the bluetoothd daemon
- Segmentation fault errors in system logs related to BlueZ services
- Unusual Bluetooth connection attempts from unknown devices
- Memory-related errors in /var/log/syslog or journalctl output for Bluetooth services
Detection Strategies
- Monitor for abnormal Bluetooth ATT (Attribute Protocol) traffic patterns, particularly prepare write requests with unusual length/offset combinations
- Deploy endpoint detection solutions to identify heap corruption attempts in BlueZ processes
- Implement runtime memory protection tools such as AddressSanitizer (ASan) in development/testing environments
- Use SentinelOne Singularity to detect memory exploitation attempts and anomalous process behavior
Monitoring Recommendations
- Enable verbose logging for BlueZ services using bluetoothd -d for debugging
- Monitor system resource usage for bluetoothd process to detect memory anomalies
- Configure alerting for repeated Bluetooth service failures or restarts
- Review Bluetooth pairing and connection logs for suspicious activity from nearby devices
How to Mitigate CVE-2022-0204
Immediate Actions Required
- Upgrade BlueZ to version 5.63 or later immediately
- If upgrade is not possible, consider disabling Bluetooth services on critical systems temporarily
- Restrict physical proximity access to systems with Bluetooth enabled
- Apply vendor-specific patches from Fedora, Debian, or Gentoo repositories
Patch Information
The official fix is available in BlueZ version 5.63 and later. The security patch (commit 591c546c536b42bef696d027f64aa22434f8c3f0) adds proper bounds checking in the GATT server implementation. Additional resources include:
- GitHub BlueZ Security Commit
- Red Hat Bug Report
- GitHub Security Advisory GHSA-479m-xcq5-9g2q
- Gentoo GLSA 202209-16
- Debian LTS Announcement
Workarounds
- Disable Bluetooth services on systems where they are not essential using systemctl disable bluetooth
- Implement network segmentation to limit adjacent network attack surface
- Use Bluetooth adapter hardware controls to disable radio when not in use
- Apply host-based firewall rules to restrict Bluetooth-related network traffic
# Disable BlueZ Bluetooth service temporarily
sudo systemctl stop bluetooth
sudo systemctl disable bluetooth
# Check BlueZ version to verify if vulnerable
bluetoothd --version
# Update BlueZ on Debian-based systems
sudo apt update && sudo apt upgrade bluez
# Update BlueZ on Fedora
sudo dnf update bluez
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
