Qt QLowEnergyController Bluetooth Module Out-of-Bounds Read and Division by Zero Vulnerability

A vulnerability in the QLowEnergyController component of the Qt Bluetooth module has been identified, affecting versions 5.4.0 prior to 5.15.18, 6.0.0 prior to 6.5.8, and 6.6.0 prior to 6.8.1. The issue arises from improper handling of malformed Bluetooth Attribute Protocol (ATT) commands, leading to out-of-bounds read errors and division by zero conditions. This vulnerability is present in the Bluetooth Kernel API backend, which is used by QLowEnergyController to manage connections with external Bluetooth Low Energy devices. Exploitation can occur in both central and peripheral roles, depending on the Qt version and the system's BlueZ runtime.

Impact

Exploitation of this vulnerability causes a read past the end of the buffer, leading to potential memory access violations, and a division by zero error, which can cause application crashes or undefined behavior.

Reproduction

In central role use cases, connect to an external Bluetooth Low Energy device using a version of Qt that triggers the Bluetooth Kernel API backend. Once connected, the device can send malformed ATT commands that exploit the vulnerability. In peripheral role use cases, start advertising with the QLowEnergyAdvertisingParameters::AdvInd mode to allow connections from external devices. When a device connects, it can send the malformed commands that trigger the vulnerability.

Remediation

Users can update to Qt versions 6.9.0, 6.8.2, 6.5.9, or 5.15.19. Instructions for applying the update or patching the vulnerability are available on the Qt Code Review site.