CVE-2023-27349 – This vulnerability in BlueZ's AVRCP Bluetooth a... (How to Fix)

Q: What is the severity of CVE-2023-27349?

CVE-2023-27349 has a CVSS score of 8.0 (HIGH). This vulnerability in BlueZ's AVRCP Bluetooth audio profile allows network-adjacent attackers to execute arbitrary code with root privileges by sending specially crafted Bluetooth packets. It affects Linux systems with BlueZ Bluetooth stack when a user connects to a malicious Bluetooth device. The flaw stems from improper array index validation leading to buffer overflow.

📋 TL;DR

This vulnerability in BlueZ's AVRCP Bluetooth audio profile allows network-adjacent attackers to execute arbitrary code with root privileges by sending specially crafted Bluetooth packets. It affects Linux systems with BlueZ Bluetooth stack when a user connects to a malicious Bluetooth device. The flaw stems from improper array index validation leading to buffer overflow.

💻 Affected Systems

Products:

BlueZ Bluetooth stack

Versions: BlueZ versions before commit f54299a850676d92c3dafd83e9174fcfe420ccc9

Operating Systems: Linux distributions using BlueZ (Debian, Ubuntu, Fedora, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Bluetooth enabled and AVRCP profile support. User must connect to malicious device.

📦 What is this software?

Bluez by Bluez

View all CVEs affecting Bluez →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges, allowing complete system compromise and persistence.

🟠

Likely Case

Local privilege escalation or denial of service on affected Bluetooth services.

🟢

If Mitigated

Limited to denial of service if Bluetooth access is restricted or patched.

🌐 Internet-Facing: LOW (requires Bluetooth proximity, not internet connectivity)

🏢 Internal Only: MEDIUM (requires physical proximity or internal network Bluetooth access)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (connecting to malicious Bluetooth device) and physical/network proximity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BlueZ commit f54299a850676d92c3dafd83e9174fcfe420ccc9 and later

Vendor Advisory: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f54299a850676d92c3dafd83e9174fcfe420ccc9

Restart Required: Yes

Instructions:

1. Update BlueZ package via system package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade bluez. 3. Restart Bluetooth service: sudo systemctl restart bluetooth. 4. Reboot system if kernel modules were updated.

🔧 Temporary Workarounds

Disable Bluetooth

linux

Completely disable Bluetooth to prevent exploitation

sudo systemctl stop bluetooth
sudo systemctl disable bluetooth

Restrict Bluetooth connections

linux

Configure Bluetooth to only accept connections from trusted devices

sudo btmgmt power off
Configure Bluetooth settings to require pairing confirmation

🧯 If You Can't Patch

Disable Bluetooth completely when not in use
Implement strict Bluetooth device whitelisting and require manual approval for all connections

🔍 How to Verify

Check if Vulnerable:

Check BlueZ version: bluetoothctl --version or dpkg -l | grep bluez

Check Version:

bluetoothctl --version 2>/dev/null || dpkg -l | grep bluez || rpm -q bluez

Verify Fix Applied:

Verify BlueZ version includes commit f54299a850676d92c3dafd83e9174fcfe420ccc9 or check package version against patched releases

📡 Detection & Monitoring

Log Indicators:

Unusual Bluetooth connection attempts in /var/log/syslog
AVRCP protocol errors in Bluetooth logs

Network Indicators:

Suspicious Bluetooth MAC addresses attempting connections
Unusual AVRCP traffic patterns

SIEM Query:

source="bluetooth" AND (event="connection" OR event="avrcp") AND status="failed"

📊 Metadata

CVE ID: CVE-2023-27349

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-129

Published: May 3, 2024

Last Updated: November 4, 2025

🔗 References

https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f54299a850676d92c3dafd83e9174fcfe420ccc9 Patch
https://lists.debian.org/debian-lts-announce/2024/05/msg00015.html Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-386/ Third Party Advisory
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f54299a850676d92c3dafd83e9174fcfe420ccc9 Patch
https://lists.debian.org/debian-lts-announce/2024/05/msg00015.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00022.html
https://www.zerodayinitiative.com/advisories/ZDI-23-386/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27349, you might also want to check these: