Published: 07/06/2019 Updated: 11/06/2019
CVSS v2 Base Score: 8.3 | Impact Score: 10 | Exploitability Score: 6.5
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 0
Vector: AV:A/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

In the Bluetooth Low Energy (BLE) specification, there is a provided example Long Term Key (LTK). If a BLE device were to use this as a hardcoded LTK, it is theoretically possible for a proximate malicious user to remotely inject keystrokes on a paired Android host due to improperly used crypto. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-128843052.

Vulnerability Trend

Affected Products

Vendor Product Versions
GoogleAndroid7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9.0

Recent Articles

It's that time again: Android kicks off June's patch parade with fixes for five hijack holes
The Register • Shaun Nichols in San Francisco • 05 Jun 2019

Updates are on the way… if you have a Google device, at least

Google has released its June bundle of security vulnerability patches for Android, with fixes for 22 CVE-listed flaws included.
This month's update, including eight critical fixes, includes patches to close up four confirmed remote code execution vulnerabilities. Google says none of the bugs have been targeted in the wild, yet.
Those with Google-branded devices like the Pixel phone line will get the update directly from the Chocolate Factory, while others will need to rely on their v...