CVE-2020-26559 - Vulnerability Details - OpenCVE

Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bluetooth	Mesh Profile

Configuration 1 [-]

OR	cpe:2.3:a:bluetooth:mesh_profile:1.0.0:::::::*
	cpe:2.3:a:bluetooth:mesh_profile:1.0.1:::::::*

No data.

References

Link	Providers
https://kb.cert.org/vuls/id/799380
https://nvd.nist.gov/vuln/detail/CVE-2020-26559
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/
https://www.cve.org/CVERecord?id=CVE-2020-26559
https://www.kb.cert.org/vuls/id/799380

History

Tue, 04 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://www.kb.cert.org/vuls/id/799380

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-05-24T17:13:12.000Z

Updated: 2025-11-04T19:12:19.938Z

Reserved: 2020-10-04T00:00:00.000Z

Link: CVE-2020-26559

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-05-24T18:15:07.960

Modified: 2025-11-04T20:15:58.307

Link: CVE-2020-26559

Redhat

Severity : Moderate

Publid Date: 2021-05-24T16:00:00Z

Links: CVE-2020-26559 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner\u2019s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-24T17:13:12.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/"}, {"tags": ["x_refsource_MISC"], "url": "https://kb.cert.org/vuls/id/799380"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-26559", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner\u2019s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/", "refsource": "MISC", "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/"}, {"name": "https://kb.cert.org/vuls/id/799380", "refsource": "MISC", "url": "https://kb.cert.org/vuls/id/799380"}]}}}, "adp": [{"title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://kb.cert.org/vuls/id/799380"}, {"url": "https://www.kb.cert.org/vuls/id/799380"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T19:12:19.938Z"}}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-26559", "datePublished": "2021-05-24T17:13:12.000Z", "dateReserved": "2020-10-04T00:00:00.000Z", "dateUpdated": "2025-11-04T19:12:19.938Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bluetooth:mesh_profile:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "851ACDD0-CD31-4CEC-AD23-C57C68178352", "vulnerable": true}, {"criteria": "cpe:2.3:a:bluetooth:mesh_profile:1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "C4959D86-09FD-4C6A-AA52-7667FA9EC4BD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner\u2019s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue."}, {"lang": "es", "value": "El Bluetooth Mesh Provisioning en el perfil de Bluetooth Mesh versiones 1.0 y 1.0.1, puede permitir a un dispositivo cercano (que participe en el protocolo de aprovisionamiento) identificar el AuthValue usado dada la clave p\u00fablica del Provisionador y el n\u00famero de confirmaci\u00f3n y el nonce proporcionado por el dispositivo de aprovisionamiento. Esto podr\u00eda permitir a un dispositivo sin AuthValue completar el aprovisionamiento sin forzar el AuthValue por fuerza bruta"}], "id": "CVE-2020-26559", "lastModified": "2025-11-04T20:15:58.307", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-24T18:15:07.960", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://kb.cert.org/vuls/id/799380"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://kb.cert.org/vuls/id/799380"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.kb.cert.org/vuls/id/799380"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Authvalue leak in Bluetooth Mesh Provisioning", "id": "1960011", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1960011"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner\u2019s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue.", "A flaw was found in the Linux kernel\u2019s Bluetooth Mesh Profile implementation. The Mesh Provisioning procedure has a vulnerability that allows an attacker that was provisioned without access to the AuthValue to identify the AuthValue directly, without brute-forcing its value. Even when a randomly generated AuthValue with a full 128-bits of entropy is used, an attacker acquiring the Provisioner\u2019s public key, provisioning confirmation value, the random value, and providing its public key for use in the provisioning procedure can directly compute the AuthValue used. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2020-26559", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "bluez", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "bluez", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-alt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "bluez", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "bluez", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-05-24T16:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-26559\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-26559"], "statement": "Red Hat Product Security is aware of this issue and is currently assessing the impact on Red Hat supported products. Corresponding entry in the Red Hat CVE database (https://access.redhat.com/security/security-updates/#/cve) will be updated with latest information as the assessment progresses.", "threat_severity": "Moderate"}