CVE-2020-11167
9.8 CRITICAL
📋 TL;DR
This is a critical memory corruption vulnerability in Qualcomm Snapdragon chipsets' Bluetooth L2CAP reassembly logic. Attackers can remotely execute arbitrary code or cause denial of service by sending specially crafted Bluetooth packets that exceed expected data lengths. Affects numerous Qualcomm Snapdragon platforms across automotive, mobile, IoT, and wearable devices.
💻 Affected Systems
Products:
- Snapdragon Auto
- Snapdragon Compute
- Snapdragon Connectivity
- Snapdragon Consumer IOT
- Snapdragon Industrial IOT
- Snapdragon Mobile
- Snapdragon Voice & Music
- Snapdragon Wearables
Versions: Multiple chipset versions - see Qualcomm December 2020 bulletin for specific affected chipsets
Operating Systems: Android, Linux-based embedded systems
Default Config Vulnerable:
⚠️ Yes
Notes: Vulnerability exists in Bluetooth firmware/stack. All devices with affected Snapdragon chipsets and Bluetooth enabled are vulnerable by default.
📦 What is this software?
Apq8009w by Qualcomm
Apq8017 by Qualcomm
Apq8037 by Qualcomm
Apq8053 by Qualcomm
Apq8064au by Qualcomm
Apq8096au by Qualcomm
Aqt1000 by Qualcomm
Msm8909w by Qualcomm
Msm8917 by Qualcomm
Msm8920 by Qualcomm
Msm8937 by Qualcomm
Msm8940 by Qualcomm
Msm8953 by Qualcomm
Msm8996au by Qualcomm
Pm215 by Qualcomm
Pm3003a by Qualcomm
Pm439 by Qualcomm
Pm6125 by Qualcomm
Pm6150 by Qualcomm
Pm6150a by Qualcomm
Pm6150l by Qualcomm
Pm6350 by Qualcomm
Pm640a by Qualcomm
Pm640l by Qualcomm
Pm640p by Qualcomm
Pm660 by Qualcomm
Pm660l by Qualcomm
Pm670 by Qualcomm
Pm670a by Qualcomm
Pm670l by Qualcomm
Pm7150a by Qualcomm
Pm7150l by Qualcomm
Pm7250 by Qualcomm
Pm7250b by Qualcomm
Pm8004 by Qualcomm
Pm8005 by Qualcomm
Pm8008 by Qualcomm
Pm8009 by Qualcomm
Pm8150a by Qualcomm
Pm8150b by Qualcomm
Pm8150c by Qualcomm
Pm8150l by Qualcomm
Pm8250 by Qualcomm
Pm855 by Qualcomm
Pm855a by Qualcomm
Pm855b by Qualcomm
Pm855l by Qualcomm
Pm855p by Qualcomm
Pm8909 by Qualcomm
Pm8937 by Qualcomm
Pm8940 by Qualcomm
Pm8953 by Qualcomm
Pm8996 by Qualcomm
Pm8998 by Qualcomm
Pmi632 by Qualcomm
Pmi8937 by Qualcomm
Pmi8952 by Qualcomm
Pmi8994 by Qualcomm
Pmi8996 by Qualcomm
Pmi8998 by Qualcomm
Pmk8001 by Qualcomm
Pmk8002 by Qualcomm
Pmk8003 by Qualcomm
Pmm855au by Qualcomm
Pmm8996au by Qualcomm
Pmr525 by Qualcomm
Pmr735a by Qualcomm
Pmr735b by Qualcomm
Pmw3100 by Qualcomm
Pmx50 by Qualcomm
Pmx55 by Qualcomm
Qat3516 by Qualcomm
Qat3518 by Qualcomm
Qat3519 by Qualcomm
Qat3522 by Qualcomm
Qat3550 by Qualcomm
Qat3555 by Qualcomm
Qat5515 by Qualcomm
Qat5516 by Qualcomm
Qat5522 by Qualcomm
Qat5533 by Qualcomm
Qbt1000 by Qualcomm
Qbt1500 by Qualcomm
Qbt2000 by Qualcomm
Qca6174a by Qualcomm
Qca6175a by Qualcomm
Qca6310 by Qualcomm
Qca6320 by Qualcomm
Qca6335 by Qualcomm
Qca6390 by Qualcomm
Qca6391 by Qualcomm
Qca6420 by Qualcomm
Qca6421 by Qualcomm
Qca6426 by Qualcomm
Qca6430 by Qualcomm
Qca6431 by Qualcomm
Qca6436 by Qualcomm
Qca6564a by Qualcomm
Qca6564au by Qualcomm
Qca6574 by Qualcomm
Qca6574a by Qualcomm
Qca6574au by Qualcomm
Qca6595 by Qualcomm
Qca6595au by Qualcomm
Qca6696 by Qualcomm
Qca9379 by Qualcomm
Qcs603 by Qualcomm
Qcs605 by Qualcomm
Qdm2301 by Qualcomm
Qdm2302 by Qualcomm
Qdm2305 by Qualcomm
Qdm2307 by Qualcomm
Qdm2308 by Qualcomm
Qdm2310 by Qualcomm
Qdm3301 by Qualcomm
Qdm5620 by Qualcomm
Qdm5621 by Qualcomm
Qdm5650 by Qualcomm
Qdm5652 by Qualcomm
Qdm5670 by Qualcomm
Qdm5671 by Qualcomm
Qdm5677 by Qualcomm
Qdm5679 by Qualcomm
Qet4100 by Qualcomm
Qet4101 by Qualcomm
Qet4200aq by Qualcomm
Qet5100 by Qualcomm
Qet6100 by Qualcomm
Qet6110 by Qualcomm
Qfe2080fc by Qualcomm
Qfe2081fc by Qualcomm
Qfe2082fc by Qualcomm
Qfe2101 by Qualcomm
Qfe2550 by Qualcomm
Qfe3100 by Qualcomm
Qfe3440fc by Qualcomm
Qfe4301 by Qualcomm
Qfe4302 by Qualcomm
Qfe4303 by Qualcomm
Qfe4305 by Qualcomm
Qfe4308 by Qualcomm
Qfe4309 by Qualcomm
Qfe4320 by Qualcomm
Qfe4373fc by Qualcomm
Qfe4455fc by Qualcomm
Qfe4465fc by Qualcomm
Qfs2530 by Qualcomm
Qfs2580 by Qualcomm
Qln1020 by Qualcomm
Qln1021aq by Qualcomm
Qln1030 by Qualcomm
Qln1031 by Qualcomm
Qln1035bd by Qualcomm
Qln1036aq by Qualcomm
Qln4642 by Qualcomm
Qln4650 by Qualcomm
Qln5020 by Qualcomm
Qln5030 by Qualcomm
Qln5040 by Qualcomm
Qpa2625 by Qualcomm
Qpa4360 by Qualcomm
Qpa4361 by Qualcomm
Qpa5460 by Qualcomm
Qpa5580 by Qualcomm
Qpa5581 by Qualcomm
Qpa6560 by Qualcomm
Qpa8673 by Qualcomm
Qpa8686 by Qualcomm
Qpa8801 by Qualcomm
Qpa8802 by Qualcomm
Qpa8803 by Qualcomm
Qpa8821 by Qualcomm
Qpa8842 by Qualcomm
Qpm4650 by Qualcomm
Qpm5621 by Qualcomm
Qpm5658 by Qualcomm
Qpm5670 by Qualcomm
Qpm5677 by Qualcomm
Qpm5679 by Qualcomm
Qpm6582 by Qualcomm
Qpm6585 by Qualcomm
Qpm8820 by Qualcomm
Qpm8830 by Qualcomm
Qpm8870 by Qualcomm
Qpm8895 by Qualcomm
Qsm7250 by Qualcomm
Qsw6310 by Qualcomm
Qsw8573 by Qualcomm
Qsw8574 by Qualcomm
Qtc410s by Qualcomm
Qtc800h by Qualcomm
Qtc800s by Qualcomm
Qtc800t by Qualcomm
Qtc801s by Qualcomm
Qtm525 by Qualcomm
Qualcomm215 by Qualcomm
Rgr7640au by Qualcomm
Sa6155 by Qualcomm
Sa6155p by Qualcomm
Sa8155 by Qualcomm
Sa8155p by Qualcomm
Sd205 by Qualcomm
Sd210 by Qualcomm
Sd429 by Qualcomm
Sd439 by Qualcomm
Sd450 by Qualcomm
Sd632 by Qualcomm
Sd665 by Qualcomm
Sd675 by Qualcomm
Sd6905g by Qualcomm
Sd710 by Qualcomm
Sd712 by Qualcomm
Sd750g by Qualcomm
Sd765 by Qualcomm
Sd765g by Qualcomm
Sd768g by Qualcomm
Sd820 by Qualcomm
Sd821 by Qualcomm
Sd835 by Qualcomm
Sd845 by Qualcomm
Sd855 by Qualcomm
Sd8655g by Qualcomm
Sd8cx by Qualcomm
Sdm429w by Qualcomm
Sdm830 by Qualcomm
Sdr051 by Qualcomm
Sdr052 by Qualcomm
Sdr660 by Qualcomm
Sdr660g by Qualcomm
Sdr735 by Qualcomm
Sdr8150 by Qualcomm
Sdr8250 by Qualcomm
Sdr845 by Qualcomm
Sdr865 by Qualcomm
Sdw2500 by Qualcomm
Sdx50m by Qualcomm
Sdx55 by Qualcomm
Sdx55m by Qualcomm
Sdxr1 by Qualcomm
Sdxr25g by Qualcomm
Sm7250p by Qualcomm
Smb1351 by Qualcomm
Smb1355 by Qualcomm
Smb1358 by Qualcomm
Smb1380 by Qualcomm
Smb1381 by Qualcomm
Smb1390 by Qualcomm
Smb1395 by Qualcomm
Smb1396 by Qualcomm
Smr525 by Qualcomm
Smr526 by Qualcomm
Wcd9326 by Qualcomm
Wcd9335 by Qualcomm
Wcd9340 by Qualcomm
Wcd9341 by Qualcomm
Wcd9360 by Qualcomm
Wcd9370 by Qualcomm
Wcd9375 by Qualcomm
Wcd9380 by Qualcomm
Wcd9385 by Qualcomm
Wcn3610 by Qualcomm
Wcn3615 by Qualcomm
Wcn3620 by Qualcomm
Wcn3660 by Qualcomm
Wcn3660b by Qualcomm
Wcn3680 by Qualcomm
Wcn3680b by Qualcomm
Wcn3950 by Qualcomm
Wcn3980 by Qualcomm
Wcn3988 by Qualcomm
Wcn3990 by Qualcomm
Wcn3991 by Qualcomm
Wcn3998 by Qualcomm
Wgr7640 by Qualcomm
Whs9410 by Qualcomm
Wsa8810 by Qualcomm
Wsa8815 by Qualcomm
Wsa8830 by Qualcomm
Wsa8835 by Qualcomm
Wtr2955 by Qualcomm
Wtr2965 by Qualcomm
Wtr3905 by Qualcomm
Wtr3925 by Qualcomm
Wtr3950 by Qualcomm
Wtr4905 by Qualcomm
Wtr5975 by Qualcomm
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with kernel privileges leading to complete device compromise, data theft, and persistent backdoor installation.
Likely Case
Remote denial of service (device crash/reboot) or limited code execution in Bluetooth context.
If Mitigated
Denial of service only if exploit attempts are blocked or fail due to mitigations.
🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH
🎯 Exploit Status
Public PoC:
✅ No
Weaponized:
UNKNOWN
Unauthenticated Exploit:
⚠️ Yes
Complexity:
MEDIUM
Exploitation requires Bluetooth proximity (typically within 10 meters). No authentication needed as Bluetooth pairing not required for this attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to device manufacturer updates - patches released in December 2020
Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/december-2020-bulletin
Restart Required: Yes
Instructions:
1. Check with device manufacturer for firmware/OS updates. 2. Apply latest security patches from device vendor. 3. Reboot device after update. 4. Verify Bluetooth stack version is patched.
🔧 Temporary Workarounds
Disable Bluetooth
allTurn off Bluetooth when not in use to prevent remote exploitation
adb shell settings put global bluetooth_on 0
systemctl stop bluetooth (Linux)
Turn off in device settings
Restrict Bluetooth Visibility
allSet Bluetooth to non-discoverable mode to reduce attack surface
adb shell settings put global bluetooth_discoverability 0
hciconfig hci0 noscan
🧯 If You Can't Patch
- Segment affected devices on separate network/VLAN
- Implement Bluetooth usage policies restricting to trusted devices only
🔍 How to Verify
Check if Vulnerable:
Check device chipset model and firmware version against Qualcomm advisory. Use: adb shell getprop ro.boot.hardware.sku or check device specifications.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify device has December 2020 or later security patches installed. Check Bluetooth stack version if available from manufacturer.📡 Detection & Monitoring
Log Indicators:
- Bluetooth stack crashes
- Kernel panic logs
- Unexpected Bluetooth disconnections
Network Indicators:
- Unusual Bluetooth packet patterns
- Multiple connection attempts from unknown devices
SIEM Query:
source="bluetooth" AND (event="crash" OR event="panic")