CVE-2020-27153

In BlueZ before 5.55, a double free was found in the gatttool disconnect_cb() routine from shared/att.c. A remote attacker could potentially cause a denial of service or code execution, during service discovery, due to a redundant disconnect MGMT event.

References

Affected packages

Git / github.com/bluez/bluez

Affected ranges

Type

GIT

Repo

https://github.com/bluez/bluez

Events

Introduced

Fixed

5a180f2ec9edfacafd95e5fed20d36fe8e077f07

Fixed

1cd644db8c23a2f530ddb93cebed7dacc5f5721a

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.55"
        }
    ]
}

Affected versions

4.*

4.0

4.1

4.10

4.100

4.101

4.11

4.12

4.13

4.14

4.15

4.16

4.17

4.18

4.19

4.2

4.20

4.21

4.22

4.23

4.24

4.25

4.26

4.27

4.28

4.29

4.30

4.31

4.32

4.33

4.34

4.35

4.36

4.37

4.38

4.39

4.40

4.41

4.42

4.43

4.44

4.45

4.46

4.47

4.48

4.49

4.5

4.50

4.51

4.52

4.53

4.54

4.55

4.56

4.57

4.58

4.59

4.6

4.60

4.61

4.62

4.63

4.64

4.65

4.66

4.67

4.68

4.69

4.7

4.70

4.71

4.72

4.73

4.74

4.75

4.76

4.77

4.78

4.79

4.8

4.80

4.81

4.82

4.83

4.84

4.85

4.86

4.87

4.88

4.89

4.9

4.90

4.91

4.92

4.93

4.94

4.95

4.96

4.97

4.98

4.99

5.*

5.0

5.1

5.10

5.11

5.12

5.13

5.14

5.15

5.16

5.17

5.18

5.19

5.2

5.20

5.21

5.22

5.23

5.24

5.25

5.26

5.27

5.28

5.29

5.3

5.30

5.31

5.32

5.33

5.34

5.35

5.36

5.37

5.38

5.39

5.4

5.40

5.41

5.42

5.43

5.44

5.45

5.46

5.47

5.48

5.49

5.5

5.50

5.51

5.52

5.53

5.54

5.6

5.7

5.8

5.9

Database specific

vanir_signatures_modified

"2026-04-11T16:25:30Z"

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-27153.json"

vanir_signatures

[
    {
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2020-27153-5c9af719",
        "source": "https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a",
        "target": {
            "file": "src/shared/att.c"
        },
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "193031578723794859252025779680268025050",
                "328489074626764670051532720376588187963",
                "234780927341935949843624079351461986700",
                "315667152069755274390545420421362562734",
                "135989866379935825391429829556551430383",
                "159111306259249961601994318252371408006",
                "133457257734803768519132419718574797765",
                "158108262920956119807404915421559473776",
                "254205889322255188941922808524596469852",
                "328180784454490762655644906709495665121",
                "3509613340198738847501478267685258168",
                "216061193566643570294522832304722192320",
                "100307739094877673628949319102881601483",
                "165653913577279199058309468338404586834",
                "236085318238112343811746810732155052492",
                "20473985302098799622098429475406693735",
                "127270796435307027120357940523067201530",
                "74521990784890663215507818586454338326",
                "207218834111476324065311991714828591242",
                "276679355697489795698190647522775802440",
                "97412044546354208512225428254390029890",
                "10550507841831675259749901203115382645",
                "158710138297906037179770610129074560535",
                "154523380595998693114353828452535992602"
            ]
        }
    },
    {
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2020-27153-5dcc1a0f",
        "source": "https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a",
        "target": {
            "file": "src/shared/att.c",
            "function": "bt_att_cancel"
        },
        "signature_version": "v1",
        "digest": {
            "length": 665.0,
            "function_hash": "251085821085271362817089067465857009678"
        }
    },
    {
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a",
        "id": "CVE-2020-27153-5debd5f7",
        "signature_version": "v1",
        "target": {
            "file": "src/shared/att.c",
            "function": "disconnect_cb"
        },
        "digest": {
            "length": 1133.0,
            "function_hash": "331238215432473323968595143202019330246"
        }
    },
    {
        "deprecated": false,
        "source": "https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a",
        "id": "CVE-2020-27153-62583467",
        "signature_type": "Function",
        "target": {
            "file": "src/shared/att.c",
            "function": "cancel_att_send_op"
        },
        "signature_version": "v1",
        "digest": {
            "length": 190.0,
            "function_hash": "217313407953137803246294354082360522010"
        }
    }
]

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.2"
            }
        ]
    }
]