CVE-2021-28136

EUVD-2021-14835
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
Affected Products (NVD)
VendorProductVersion
espressifesp-idf
𝑥
≤ 4.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://dl.packetstormsecurity.net/papers/general/braktooth.pdf
https://github.com/espressif/esp-idf
https://github.com/espressif/esp32-bt-lib
https://www.espressif.com/en/products/socs/esp32
https://dl.packetstormsecurity.net/papers/general/braktooth.pdf
https://github.com/espressif/esp-idf
https://github.com/espressif/esp32-bt-lib
https://www.espressif.com/en/products/socs/esp32