Skip to main content

Early Access — Mondoo Vulnerability Intelligence is currently in preview.

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

© 2026 Mondoo, Inc.

Privacy Policy Terms of Service Imprint

Vulnerability Intelligence

CVE-2019-9506

HIGH8.1

Blutooth BR/EDR specification does not specify sufficient encryption key length and allows an attacker to influence key length negotiation

Published Aug 14, 2019

Modified 1 years ago

No fix available

Details

The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.

References

ADVISORYhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00036.html ADVISORYhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00037.html WEBhttp://seclists.org/fulldisclosure/2019/Aug/11 WEBhttp://seclists.org/fulldisclosure/2019/Aug/13 WEBhttp://seclists.org/fulldisclosure/2019/Aug/14 WEBhttp://seclists.org/fulldisclosure/2019/Aug/15 WEBhttp://www.cs.ox.ac.uk/publications/publication12404-abstract.html WEBhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190828-01-knob-en ADVISORYhttps://access.redhat.com/errata/RHSA-2019:2975 ADVISORYhttps://access.redhat.com/errata/RHSA-2019:3055 ADVISORYhttps://access.redhat.com/errata/RHSA-2019:3076 ADVISORYhttps://access.redhat.com/errata/RHSA-2019:3089 ADVISORYhttps://access.redhat.com/errata/RHSA-2019:3165 ADVISORYhttps://access.redhat.com/errata/RHSA-2019:3187 ADVISORYhttps://access.redhat.com/errata/RHSA-2019:3217 ADVISORYhttps://access.redhat.com/errata/RHSA-2019:3218 ADVISORYhttps://access.redhat.com/errata/RHSA-2019:3220 ADVISORYhttps://access.redhat.com/errata/RHSA-2019:3231 ADVISORYhttps://access.redhat.com/errata/RHSA-2019:3309 ADVISORYhttps://access.redhat.com/errata/RHSA-2019:3517 ADVISORYhttps://access.redhat.com/errata/RHSA-2020:0204 WEBhttps://lists.debian.org/debian-lts-announce/2019/09/msg00014.html WEBhttps://lists.debian.org/debian-lts-announce/2019/09/msg00015.html WEBhttps://lists.debian.org/debian-lts-announce/2019/09/msg00025.html ADVISORYhttps://usn.ubuntu.com/4115-1/ADVISORYhttps://usn.ubuntu.com/4118-1/ADVISORYhttps://usn.ubuntu.com/4147-1/WEBhttps://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2019-9506 ADVISORYhttps://www.kb.cert.org/vuls/id/918987/WEBhttps://www.usenix.org/conference/usenixsecurity19/presentation/antonioli

CVSS Analysis

CVSS v3.0

8.1

Exploitability

Attack Vector

AdjacentAV:A

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

LowI:L

Availability

LowA:L

7.6/CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Weakness Type (CWE)

Other

Ecosystems

Timeline

PublishedAug 14, 2019

ModifiedSep 16, 2024

CVE-2019-9506 | Mondoo Vulnerability Intelligence