An issue was discovered in the Bluetooth component of the Cypress (formerly owned by Broadcom) Wireless IoT codebase. Extended Inquiry Responses (EIRs) are improperly handled, which causes a heap-based buffer overflow during device inquiry. This overflow can be used to overwrite existing functions with arbitrary code. The Reserved for Future Use (RFU) bits are not discarded by eir_handleRx(), and are included in an EIR's length. Therefore, one can exceed the expected 240 bytes, which leads to a heap-based buffer overflow in eir_getReceivedEIR() called by bthci_event_SendInquiryResultEvent(). In order to exploit this bug, an attacker must repeatedly connect to the victim's device in a short amount of time from different source addresses. This will cause the victim's Bluetooth stack to resolve the device names and therefore allocate buffers with attacker-controlled data. Due to the heap corruption, the name will be eventually written to an attacker-controlled location, leading to a write-what-where condition.
Published 2020-02-05 17:15:10
Updated 2020-04-13 15:15:11
Source MITRE
View at NVD,
Vulnerability category: OverflowMemory Corruption

Exploit prediction scoring system (EPSS) score for CVE-2019-11516

Probability of exploitation activity in the next 30 days EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-11516

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen

CWE ids for CVE-2019-11516

  • The product writes data past the end, or before the beginning, of the intended buffer.
    Assigned by: (Primary)

References for CVE-2019-11516

Products affected by CVE-2019-11516

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to terms of use!