Intel, meanwhile, has issued this bare-bones advisory that categorizes the flaw as privilege-escalation or information-disclosure vulnerability. The advisory assigned a severity score of 8.3 out of a possible 10 to CVE-2020-12351, one of three distinct bugs that comprise BleedingTooth. “Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure,” the advisory states. “BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.” Intel, which is a primary contributor to the BlueZ open source project, said that the most effective way to patch the vulnerabilities is to update to Linux kernel version 5.9, which was published on Sunday. Those who can’t upgrade to version 5.9 can install a series of kernel patches the advisory links to. Maintainers of BlueZ didn’t immediately respond to emails asking for additional details about this vulnerability.
Ars Technica points out that since BleedingTooth requires proximity to a vulnerable device, there’s not much reason for people to worry about this vulnerability. “It also requires highly specialized knowledge and works on only a tiny fraction of the world’s Bluetooth devices,” it adds.