CVE-2021-43400 – This vulnerability in BlueZ (Linux Bluetooth st... (How to Fix)

📋 TL;DR

This vulnerability in BlueZ (Linux Bluetooth stack) allows a use-after-free condition when a client disconnects during D-Bus processing of a WriteValue call. Attackers could potentially execute arbitrary code or cause denial of service on affected systems. Systems running BlueZ 5.61 with Bluetooth enabled are vulnerable.

💻 Affected Systems

Products:

BlueZ
Linux distributions using BlueZ

Versions: BlueZ 5.61 specifically

Operating Systems: Linux distributions including Debian, Ubuntu, Fedora, and others

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when Bluetooth is enabled and devices are connected

📦 What is this software?

Bluez by Bluez

View all CVEs affecting Bluez →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, privilege escalation, or persistent backdoor installation

🟠

Likely Case

Denial of service causing Bluetooth service crashes or system instability

🟢

If Mitigated

Limited impact with proper network segmentation and Bluetooth disabled on critical systems

🌐 Internet-Facing: MEDIUM - Requires Bluetooth proximity or network access to Bluetooth services

🏢 Internal Only: HIGH - Internal attackers with Bluetooth access could exploit this vulnerability

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires timing the client disconnection during specific D-Bus operations

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BlueZ versions after commit 838c0dc7641e1c991c0f3027bf94bee4606012f8

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html

Restart Required: Yes

Instructions:

1. Update BlueZ package using your distribution's package manager
2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade bluez
3. Restart Bluetooth service: sudo systemctl restart bluetooth
4. Reboot system to ensure complete patch application

🔧 Temporary Workarounds

Disable Bluetooth Service

linux

Temporarily disable Bluetooth to prevent exploitation

sudo systemctl stop bluetooth
sudo systemctl disable bluetooth

Block Bluetooth Ports

linux

Use firewall to block Bluetooth network access

sudo ufw deny 22/tcp
sudo ufw deny 4711/tcp

🧯 If You Can't Patch

Disable Bluetooth on all affected systems immediately
Implement network segmentation to isolate Bluetooth-enabled devices

🔍 How to Verify

Check if Vulnerable:

Check BlueZ version: bluetoothd --version | grep -i '5.61'

Check Version:

bluetoothd --version || dpkg -l | grep bluez || rpm -qa | grep bluez

Verify Fix Applied:

Verify BlueZ version is newer than 5.61: bluetoothd --version

📡 Detection & Monitoring

Log Indicators:

Bluetooth service crashes in system logs
D-Bus error messages related to WriteValue calls
Unexpected Bluetooth disconnections

Network Indicators:

Multiple rapid Bluetooth connection attempts
Abnormal WriteValue request patterns

SIEM Query:

source="systemd" "bluetooth" AND ("crash" OR "segfault" OR "use-after-free")

📊 Metadata

CVE ID: CVE-2021-43400

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-416

Published: November 4, 2021

Last Updated: November 4, 2025

🔗 References

https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=838c0dc7641e1c991c0f3027bf94bee4606012f8 Mailing List,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html Mailing List,Third Party Advisory
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=838c0dc7641e1c991c0f3027bf94bee4606012f8 Mailing List,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00022.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43400, you might also want to check these: