HOMEVULNERABILITIESCVE-2020-26558
MEDIUM

CVE-2020-26558

CWE-287Published: May 24, 2021· Updated: Jun 17, 2026

4.2
CVSS v3.1

Official Description

Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.

NVD Source

Technical Analysis

CVE-2020-26558 requires adjacent network access, limiting remote exploitation but still posing risk in shared or local network environments.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

From a weakness classification perspective (CWE-287): Authentication bypass vulnerabilities allow attackers to access protected resources without valid credentials.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorAdjacent
Attack ComplexityHigh
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityLow
IntegrityLow
AvailabilityNone
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Vendors & Products

bluetooth1 product(s)
bluetooth core specification
Debian1 product(s)
debian linux
Fedora1 product(s)
fedora
intel30 product(s)
ax210 firmwareax210ax201 firmwareax201ax200 firmwareax200ac 9560 firmwareac 9560ac 9462 firmwareac 9462ac 9461 firmwareac 9461+18
Linux1 product(s)
linux kernel
Source: NVD CPE · 34 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (21)

https://kb.cert.org/vuls/id/799380Third Party Advisory · US Government Resource
https://kb.cert.org/vuls/id/799380Third Party Advisory · US Government Resource

Quick Facts

CVE IDCVE-2020-26558
CVSS Score4.2 / 10
SeverityMEDIUM
WeaknessCWE-287
CISA KEVNo
Affected5 vendor(s)
PublishedMay 24, 2021

Related CVEs (CWE-287)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2020-26558 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.