CVE-2021-41229

Name
CVE-2021-41229
Description
BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq
Mailing List https://lists.debian.org/debian-lts-announce/2021/11/msg00022.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20211203-0004/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:bluez:bluez:5.58:*:*:*:*:*:*:* bluez == None == 5.58

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
bluez 3.14-main 5.58-r2 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable