HOMEVULNERABILITIESCVE-2019-9506
HIGH

CVE-2019-9506

CWE-310Published: August 14, 2019· Updated: Jun 17, 2026

8.1
CVSS v3.1

Official Description

The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.

NVD Source

Technical Analysis

CVE-2019-9506 requires adjacent network access, limiting remote exploitation but still posing risk in shared or local network environments.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), with a CVSS base score of 8.1.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorAdjacent
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityNone
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Vendors & Products

Apple4 product(s)
iphone osmac os xtvoswatchos
blackberry1 product(s)
blackberry
Canonical1 product(s)
ubuntu linux
Debian1 product(s)
debian linux
Google1 product(s)
android
Huawei252 product(s)
alp-al00b firmwarealp-al00bares-al00b firmwareares-al00bares-al10d firmwareares-al10dares-tl00c firmwareares-tl00casoka-al00ax firmwareasoka-al00axatomu-l33 firmwareatomu-l33+240
openSUSE1 product(s)
leap
Red Hat13 product(s)
mrg realtimevirtualization host eusenterprise linuxenterprise linux ausenterprise linux eusenterprise linux for real timeenterprise linux for real time eusenterprise linux for real time for nfventerprise linux for real time for nfv eusenterprise linux serverenterprise linux server ausenterprise linux server tus+1
Source: NVD CPE · 299 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (60)

Quick Facts

CVE IDCVE-2019-9506
CVSS Score8.1 / 10
SeverityHIGH
WeaknessCWE-310
CISA KEVNo
Affected8 vendor(s)
PublishedAug 14, 2019

Related CVEs (CWE-310)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2019-9506 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.