CVE-2022-39176

Publication date 2 September 2022

Last updated 18 August 2025

Ubuntu priority

Cvss 3 Severity Score

BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.

Show unmaintained releases

Package	Ubuntu Release	Status
bluez	26.04 LTS resolute	Not affected
	25.10 questing	Not affected
	25.04 plucky	Not affected
	24.10 oracular	Not affected
	24.04 LTS noble	Not affected
	23.10 mantic	Not affected
	23.04 lunar	Not affected
	22.10 kinetic	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Fixed 5.53-0ubuntu3.6
	18.04 LTS bionic	Fixed 5.48-0ubuntu3.9
	16.04 LTS xenial	Vulnerable
	14.04 LTS trusty	Ignored end of standard support

this and CVE-2022-39177 tracked in same LP bug

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
bluez	Upstream: ?id=e2b Upstream: ?id=7a8 Upstream: ?id=038

CVSS version: CVSS v3.0

Base score 8.8 · High

Base metrics

Scores

Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H