tdec · June 23, 2023 20:41
diff --git a/gistfile1.txt b/gistfile1.txt
 Vulnerabilities published by Bluetooth SIG, Android, Apple, Intel and Qualcomm security bulletins, published at security conferences or as master thesis. If any are missing, thanks for pointing me to them !
 Todo: macOS

 Year | Name | CVE

 2020 | Blurtooth: Exploiting Cross-Transport Key Derivation         | 2020-15802
 2020 | Pairing Method Confusion                                     | 2020-10134
 2020 | BIAS: Bluetooth Impersonation Attacks                        | 2020-10135
 2020 | BlueRepli                                                    | ?
 2020 | BLESA: Bluetooth Low energy spoofing attacks                 | 2020-9770
 2020 | Bluefrag                                                     | 2020-0022
 2020 | Sweyntooth: Multiple BLE SDK vulnerabilities                 | Multiple CVE
 2020 | Bluetooth traffic intercept due to low entropy HRNG/PRNG     | 2020-6616
 2020 | remote code execution                                        | 2020-9838
 2020 | Denial of Service                                            | 2020-9931
 2020 | BleedingTooth: BlueZ EoP via adjacent access                 | 2020-12351
 2020 | BlueZ information disclosure via adjacent access             | 2020-12352
 2020 | BlueZ DoS via adjacent access                                | 2020-24490
 2020 | BlueZ < 5.55 gatttool double free                            | 2020-27153
 2020 | BlueZ < 5.54 EoP and DoS                                     | 2020-0556
 2020 | Intel Wireless Bluetooth local access EoP                    | 2020-0555
 2020 | Intel Wireless Bluetooth infoleak on Windows 10              | 2020-0553
 2020 | Intel Wireless Bluetooth DoS                                 | 2020-14620
 2020 | Qualcomm GATT data out of bounds read                        | 2020-11153
 2020 | Qualcomm PDU data packet buffer overflow                     | 2020-11154
 2020 | Qualcomm PDU data packet buffer overflow #2                  | 2020-11155
 2020 | Qualcomm L2CAP buffer over-read                              | 2020-11141
 2020 | Qualcomm L2CAP buffer over-read #2                           | 2020-11156
 2020 | Qualcomm control message DoS                                 | 2020-11157
 2020 | Qualcomm L2CAP integer overflow                              | 2020-11169
 2020 | Nordic Semiconductor Stripping encryption from BLE library   | 2020-15509
 2020 | Nordic Semiconductor nrf52 APPROTECT bypass via fault injection | ?
 2020 | Spectra: Wi-Fi -> Bluetooth DoS 			            | 2020-10370
 2020 | Spectra: Side-channel info leak 			            | 2020-10369
 2020 | Spectra: Broadcom Wi-Fi RAM info leak 		            | 2020-10368
 2020 | Spectra: Broadcom Wi-Fi RAM arbitrary code execution	    | 2020-10367
 2020 | Silicon Labs BLE EFR32 RCE				    | 2020-15531
 2020 | Silicon Labs BLE EFR32 DoS				    | 2020-15532


 2019 | KNOB: Key Negotiation of Bluetooth                           | 2019-9506
 2019 | intercept BLE traffic during pairing                         | 2019-2102
 2019 | Qualcomm SoC LMP packet buffer overflow                      | 2019-14095
 2019 | Broadcom Host device buffer misconfiguration RCE             | 2019-18614
 2019 | Broadcom Extended Inquiry Response RCE                       | 2019-11516
 2019 | Broadcom  Bug in BLE PDU parsing allowing RCE                | 2019-13916
 2019 | Broadcom LMP start_encryption_request DoS 		    | 2019-6994
 2019 | Spectra: Broadcom Coexistence lock DoS (iOS/Android) 	    | 2019-15063
 2019 | BadBluetooth                                                 | ?
 2019 | Texas Instruments CC256x/WL18xx RCE			    | 2019-15948


 2018 | bluetoothd memory corruption                                 | 2018-4095
 2018 | iOS Core Bluetooth arbitrary code execution                  | 2018-4087
 2018 | Fixed Coordinate Invalid Curve Attack                        | 2018-5383
 2018 | InternalBlue: LMP to HCI Handler Escalation Attack           | 2018-19860
 2018 | Android hidp_process_report integer overflow                 | 2018-9363
 2018 | BlueZ < 5.51 unauthorized pairing                            | 2018-10910
 2018 | Intel Centrino Wireless DoS                                  | 2018-3669
 2018 | BleedingBit: Texas Instruments RCE on Cisco/Meraki AP's      | 2018-16986
 2018 | BleedingBit: Texas Instruments RCE on Aruba AP's             | 2018-7080

 2017 | Blueborne: Multiple Bluetooth Implementation Vulnerabilities | Multiple CVE
 2017 | Android LE advertising data length issue                     | 2017-0646
 2017 | Android EoP                                                  | 2017-13220
 2017 | BlueZ (2.6.32-4.13.1) L2CAP config response stack overflow   | 2017-1000251
 2017 | BlueZ < 5.46 SDP search information disclosure               | 2017-1000250
 2017 | Qualcomm BT controller RAM dump information leak             | 2017-15841
 2017 | Qualcomm BT controller integer underflow                     | 2017-18170
 2017 | Qualcomm BT controller system reset DoS                      | 2017-18283
	Vulnerabilities published by Bluetooth SIG, Android, Apple, Intel and Qualcomm security bulletins, published at security conferences or as master thesis. If any are missing, thanks for pointing me to them !
	Todo: macOS

	Year \| Name \| CVE

	2020 \| Blurtooth: Exploiting Cross-Transport Key Derivation \| 2020-15802
	2020 \| Pairing Method Confusion \| 2020-10134
	2020 \| BIAS: Bluetooth Impersonation Attacks \| 2020-10135
	2020 \| BlueRepli \| ?
	2020 \| BLESA: Bluetooth Low energy spoofing attacks \| 2020-9770
	2020 \| Bluefrag \| 2020-0022
	2020 \| Sweyntooth: Multiple BLE SDK vulnerabilities \| Multiple CVE
	2020 \| Bluetooth traffic intercept due to low entropy HRNG/PRNG \| 2020-6616
	2020 \| remote code execution \| 2020-9838
	2020 \| Denial of Service \| 2020-9931
	2020 \| BleedingTooth: BlueZ EoP via adjacent access \| 2020-12351
	2020 \| BlueZ information disclosure via adjacent access \| 2020-12352
	2020 \| BlueZ DoS via adjacent access \| 2020-24490
	2020 \| BlueZ < 5.55 gatttool double free \| 2020-27153
	2020 \| BlueZ < 5.54 EoP and DoS \| 2020-0556
	2020 \| Intel Wireless Bluetooth local access EoP \| 2020-0555
	2020 \| Intel Wireless Bluetooth infoleak on Windows 10 \| 2020-0553
	2020 \| Intel Wireless Bluetooth DoS \| 2020-14620
	2020 \| Qualcomm GATT data out of bounds read \| 2020-11153
	2020 \| Qualcomm PDU data packet buffer overflow \| 2020-11154
	2020 \| Qualcomm PDU data packet buffer overflow #2 \| 2020-11155
	2020 \| Qualcomm L2CAP buffer over-read \| 2020-11141
	2020 \| Qualcomm L2CAP buffer over-read #2 \| 2020-11156
	2020 \| Qualcomm control message DoS \| 2020-11157
	2020 \| Qualcomm L2CAP integer overflow \| 2020-11169
	2020 \| Nordic Semiconductor Stripping encryption from BLE library \| 2020-15509
	2020 \| Nordic Semiconductor nrf52 APPROTECT bypass via fault injection \| ?
	2020 \| Spectra: Wi-Fi -> Bluetooth DoS \| 2020-10370
	2020 \| Spectra: Side-channel info leak \| 2020-10369
	2020 \| Spectra: Broadcom Wi-Fi RAM info leak \| 2020-10368
	2020 \| Spectra: Broadcom Wi-Fi RAM arbitrary code execution \| 2020-10367
	2020 \| Silicon Labs BLE EFR32 RCE \| 2020-15531
	2020 \| Silicon Labs BLE EFR32 DoS \| 2020-15532


	2019 \| KNOB: Key Negotiation of Bluetooth \| 2019-9506
	2019 \| intercept BLE traffic during pairing \| 2019-2102
	2019 \| Qualcomm SoC LMP packet buffer overflow \| 2019-14095
	2019 \| Broadcom Host device buffer misconfiguration RCE \| 2019-18614
	2019 \| Broadcom Extended Inquiry Response RCE \| 2019-11516
	2019 \| Broadcom Bug in BLE PDU parsing allowing RCE \| 2019-13916
	2019 \| Broadcom LMP start_encryption_request DoS \| 2019-6994
	2019 \| Spectra: Broadcom Coexistence lock DoS (iOS/Android) \| 2019-15063
	2019 \| BadBluetooth \| ?
	2019 \| Texas Instruments CC256x/WL18xx RCE \| 2019-15948


	2018 \| bluetoothd memory corruption \| 2018-4095
	2018 \| iOS Core Bluetooth arbitrary code execution \| 2018-4087
	2018 \| Fixed Coordinate Invalid Curve Attack \| 2018-5383
	2018 \| InternalBlue: LMP to HCI Handler Escalation Attack \| 2018-19860
	2018 \| Android hidp_process_report integer overflow \| 2018-9363
	2018 \| BlueZ < 5.51 unauthorized pairing \| 2018-10910
	2018 \| Intel Centrino Wireless DoS \| 2018-3669
	2018 \| BleedingBit: Texas Instruments RCE on Cisco/Meraki AP's \| 2018-16986
	2018 \| BleedingBit: Texas Instruments RCE on Aruba AP's \| 2018-7080

	2017 \| Blueborne: Multiple Bluetooth Implementation Vulnerabilities \| Multiple CVE
	2017 \| Android LE advertising data length issue \| 2017-0646
	2017 \| Android EoP \| 2017-13220
	2017 \| BlueZ (2.6.32-4.13.1) L2CAP config response stack overflow \| 2017-1000251
	2017 \| BlueZ < 5.46 SDP search information disclosure \| 2017-1000250
	2017 \| Qualcomm BT controller RAM dump information leak \| 2017-15841
	2017 \| Qualcomm BT controller integer underflow \| 2017-18170
	2017 \| Qualcomm BT controller system reset DoS \| 2017-18283