{"id":"CVE-2019-9506","details":"The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka \"KNOB\") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.","modified":"2026-03-15T22:32:11.606807Z","published":"2019-08-14T17:15:11.597Z","related":["SUSE-SU-2019:2648-1","SUSE-SU-2019:2651-1","SUSE-SU-2019:2658-1","SUSE-SU-2019:2706-1","SUSE-SU-2019:2710-1","SUSE-SU-2019:2756-1","SUSE-SU-2019:2879-1","SUSE-SU-2019:2949-1","SUSE-SU-2019:2950-1","SUSE-SU-2019:2984-1","SUSE-SU-2019:3200-1","SUSE-SU-2019:3295-1","SUSE-SU-2020:0093-1","openSUSE-SU-2019:2307-1","openSUSE-SU-2019:2308-1"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3220"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3218"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3517"},{"type":"ADVISORY","url":"https://www.usenix.org/conference/usenixsecurity19/presentation/antonioli"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4118-1/"},{"type":"ADVISORY","url":"https://www.kb.cert.org/vuls/id/918987/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3309"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00014.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00037.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2019/Aug/13"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2019/Aug/14"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3055"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3217"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3231"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:2975"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3165"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00036.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2019/Aug/11"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4115-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4147-1/"},{"type":"ADVISORY","url":"https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2019/Aug/15"},{"type":"ADVISORY","url":"http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190828-01-knob-en"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3076"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3089"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3187"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0204"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00015.html"},{"type":"ADVISORY","url":"http://www.cs.ox.ac.uk/publications/publication12404-abstract.html"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9506.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"12.4"}]},{"events":[{"introduced":"0"},{"last_affected":"10.12.6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.13.6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.14.5"}]},{"events":[{"introduced":"0"},{"last_affected":"12.4"}]},{"events":[{"introduced":"0"},{"last_affected":"5.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.04"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7"}]},{"events":[{"introduced":"0"},{"last_affected":"8"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7"}]},{"events":[{"introduced":"0"},{"last_affected":"8"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.333\\(c00e333r2p1t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.160\\(c00e160r2p5t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.160\\(c00e160r2p5t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.165\\(c01e165r2p5t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.1.181\\(c00e48r6p1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"8.0.0.147\\(c605custc605d1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"8.0.0.153\\(c461custc461d1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"8.0.0.155\\(c636custc636d1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.329\\(c786e320r2p1t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.300\\(c605e2r1p12t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.329\\(c01e320r1p1t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"8.0.0.366\\(c00\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.333\\(c00e333r2p1t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.332\\(c432e5r1p13t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.333\\(c01e333r1p1t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"cairogo-l22c461b153"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.311\\(c605e2r1p11t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.333\\(c00e333r1p1t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.335\\(c675e8r1p9t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.350\\(c10e5r1p14t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"8.1.0.186\\(c01gt\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.333\\(c00e333r1p1t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.363\\(c675e3r1p9t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"8.2.0.141\\(c675custc675d1gt\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.363\\(c675e2r1p9t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.336\\(c636e2r1p12t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.333\\(c01e333r1p1t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"8.2.0.190\\(c00r2p2\\)"}]},{"events":[{"introduced":"0"},{"fixed":"1.0.0.182\\(c00\\)"}]},{"events":[{"introduced":"0"},{"fixed":"1.0.0.176\\(c01\\)"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1.0.156(c605)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.338\\(c185e3r3p1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.160\\(c605e6r1p5t8\\)"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.0.122d(c652)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.130\\(c01e115r2p8t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.128\\(c00e112r1p6t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.150\\(c185e6r1p5t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.150\\(c636e6r1p5t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.154\\(c605e7r1p2t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.128\\(c01e112r1p6t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.143\\(c675e8r2p1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.154\\(c185e2r5p1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.306\\(c185e2r1p13t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.306\\(c432e4r1p11t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.306\\(c636e2r1p13t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.307\\(c635e4r1p13t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.350\\(c10e3r1p14t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.350\\(c636e4r1p13t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.325\\(c185e4r1p11t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.325\\(c636e2r1p12t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.328\\(c432e5r1p9t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.328\\(c782e10r1p9t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.350\\(c185e3r1p12t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.350\\(c461e3r1p11t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.350\\(c636e3r1p13t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.351\\(c432e5r1p13t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.341\\(c185e1r1p9t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.342\\(c461e1r1p9t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.347\\(c432e1r1p9t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.311\\(c461e2r1p11t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.325\\(c185e2r1p12t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.325\\(c636e7r1p13t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.326\\(c635e2r1p11t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.328\\(c432e7r1p11t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.122\\(c09e7r1p5t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.137\\(c33e8r1p5t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.137\\(c530e8r1p5t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.158\\(c432e8r1p5t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.165\\(c10e8r1p5t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.150\\(c432e6r1p5t8\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.149\\(c675e8r2p1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.154\\(c185e2r5p1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.154\\(c432e2r5p1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.154\\(c636e2r3p1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.155\\(c10e2r3p1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.170\\(c185e2r5p1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.170\\(c636e2r3p1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.171\\(c10e2r3p1\\)"}]},{"events":[{"introduced":"0"},{"fixed":"9.1.0.172\\(c432e2r5p1\\)"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}