CVE-2023-50229
Publication date 3 May 2024
Last updated 23 January 2025
Ubuntu priority
BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device. The specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20936.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| bluez | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Fixed 5.64-0ubuntu1.4
|
|
| 20.04 LTS focal |
Fixed 5.53-0ubuntu3.9
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
References
Related Ubuntu Security Notices (USN)
- USN-7222-1
- BlueZ vulnerabilities
- 22 January 2025