VAR-202105-0145
Vulnerability from variot - Updated: 2025-11-18 12:13Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time). Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing.CVE- 2020-26556 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. CVE-2020-26555 Affected Vendor Statement: Android has assessed this issue as High severity for Android OS and will be issuing a patch for this vulnerability in an upcoming Android security bulletin. CVE-2020-26557 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. CVE-2020-26558 Affected Vendor Statement: Android has reviewed this report and assessed this vulnerability as having impact on Android OS. We will be issuing a patch for this vulnerability in an upcoming Android security bulletin. CVE-2020-26559 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. CVE-2020-26560 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. VU#799380.5 Affected Vendor Statement: Our assessment of this report is that it is of negligible security impact on Android.CVE- 2020-26556 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. CVE-2020-26555 Affected Vendor Statement: Android has assessed this issue as High severity for Android OS and will be issuing a patch for this vulnerability in an upcoming Android security bulletin. CVE-2020-26557 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. CVE-2020-26558 Affected Vendor Statement: Android has reviewed this report and assessed this vulnerability as having impact on Android OS. We will be issuing a patch for this vulnerability in an upcoming Android security bulletin. CVE-2020-26559 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. CVE-2020-26560 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. VU#799380.5 Affected Vendor Statement: Our assessment of this report is that it is of negligible security impact on Android. Bluetooth Mesh profile Contains an improper authentication vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202105-0145",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "mesh profile",
"scope": "eq",
"trust": 1.0,
"vendor": "bluetooth",
"version": "1.0.0"
},
{
"model": "mesh profile",
"scope": "eq",
"trust": 1.0,
"vendor": "bluetooth",
"version": "1.0.1"
},
{
"model": "mesh profile",
"scope": "eq",
"trust": 0.8,
"vendor": "bluetooth sig",
"version": "1.0.1"
},
{
"model": "mesh profile",
"scope": "eq",
"trust": 0.8,
"vendor": "bluetooth sig",
"version": "1.0"
},
{
"model": "mesh profile",
"scope": "eq",
"trust": 0.8,
"vendor": "bluetooth sig",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-007329"
},
{
"db": "NVD",
"id": "CVE-2020-26557"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "This document was written by Madison Oliver.Statement Date:\u00a0\u00a0 February 22, 2021",
"sources": [
{
"db": "CERT/CC",
"id": "VU#799380"
}
],
"trust": 0.8
},
"cve": "CVE-2020-26557",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 2.9,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 5.5,
"id": "CVE-2020-26557",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 1.8,
"vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "ADJACENT",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.6,
"id": "CVE-2020-26557",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "High",
"attackVector": "Adjacent Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2020-26557",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-26557",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2020-26557",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202105-1500",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1500"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007329"
},
{
"db": "NVD",
"id": "CVE-2020-26557"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time). Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing.CVE- 2020-26556 Not Affected\nVendor Statement:\nAndroid does not support Bluetooth Mesh so is not vulnerable. \nCVE-2020-26555 Affected\nVendor Statement:\nAndroid has assessed this issue as High severity for Android OS and will be issuing a patch for this vulnerability in an upcoming Android security bulletin. \nCVE-2020-26557 Not Affected\nVendor Statement:\nAndroid does not support Bluetooth Mesh so is not vulnerable. \nCVE-2020-26558 Affected\nVendor Statement:\nAndroid has reviewed this report and assessed this vulnerability as having impact on Android OS. We will be issuing a patch for this vulnerability in an upcoming Android security bulletin. \nCVE-2020-26559 Not Affected\nVendor Statement:\nAndroid does not support Bluetooth Mesh so is not vulnerable. \nCVE-2020-26560 Not Affected\nVendor Statement:\nAndroid does not support Bluetooth Mesh so is not vulnerable. \nVU#799380.5 Affected\nVendor Statement:\nOur assessment of this report is that it is of negligible security impact on Android.CVE- 2020-26556 Not Affected\nVendor Statement:\nAndroid does not support Bluetooth Mesh so is not vulnerable. \nCVE-2020-26555 Affected\nVendor Statement:\nAndroid has assessed this issue as High severity for Android OS and will be issuing a patch for this vulnerability in an upcoming Android security bulletin. \nCVE-2020-26557 Not Affected\nVendor Statement:\nAndroid does not support Bluetooth Mesh so is not vulnerable. \nCVE-2020-26558 Affected\nVendor Statement:\nAndroid has reviewed this report and assessed this vulnerability as having impact on Android OS. We will be issuing a patch for this vulnerability in an upcoming Android security bulletin. \nCVE-2020-26559 Not Affected\nVendor Statement:\nAndroid does not support Bluetooth Mesh so is not vulnerable. \nCVE-2020-26560 Not Affected\nVendor Statement:\nAndroid does not support Bluetooth Mesh so is not vulnerable. \nVU#799380.5 Affected\nVendor Statement:\nOur assessment of this report is that it is of negligible security impact on Android. Bluetooth Mesh profile Contains an improper authentication vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-26557"
},
{
"db": "CERT/CC",
"id": "VU#799380"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007329"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
}
],
"trust": 2.88
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-26557",
"trust": 4.1
},
{
"db": "CERT/CC",
"id": "VU#799380",
"trust": 3.2
},
{
"db": "JVN",
"id": "JVNVU99594334",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007329",
"trust": 0.8
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021052614",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021070408",
"trust": 0.6
},
{
"db": "LENOVO",
"id": "LEN-51734",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1500",
"trust": 0.6
},
{
"db": "OTHER",
"id": "NONE",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "CERT/CC",
"id": "VU#799380"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1500"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007329"
},
{
"db": "NVD",
"id": "CVE-2020-26557"
}
]
},
"id": "VAR-202105-0145",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "OTHER",
"id": null
}
],
"trust": 0.01
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"network device"
],
"sub_category": "bluetooth device",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
}
]
},
"last_update_date": "2025-11-18T12:13:36.659000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Reporting\u00a0Security\u00a0Vulnerabilities",
"trust": 0.8,
"url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/"
},
{
"title": "Bluetooth Mesh Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=153465"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202105-1500"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007329"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.0
},
{
"problemtype": "Bad authentication (CWE-863) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-007329"
},
{
"db": "NVD",
"id": "CVE-2020-26557"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://kb.cert.org/vuls/id/799380"
},
{
"trust": 1.6,
"url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/"
},
{
"trust": 1.0,
"url": "https://www.kb.cert.org/vuls/id/799380"
},
{
"trust": 0.8,
"url": "cve- 2020-26556 "
},
{
"trust": 0.8,
"url": "cve-2020-26555 "
},
{
"trust": 0.8,
"url": "cve-2020-26557 "
},
{
"trust": 0.8,
"url": "cve-2020-26558 "
},
{
"trust": 0.8,
"url": "cve-2020-26559 "
},
{
"trust": 0.8,
"url": "cve-2020-26560 "
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu99594334/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-26557"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021070408"
},
{
"trust": 0.6,
"url": "https://support.lenovo.com/us/en/product_security/len-51734"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021052614"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/bluetooth-privilege-escalation-via-mesh-profile-provisioning-predictable-authvalue-35548"
},
{
"trust": 0.1,
"url": "https://ieeexplore.ieee.org/abstract/document/10769424"
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "CERT/CC",
"id": "VU#799380"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1500"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007329"
},
{
"db": "NVD",
"id": "CVE-2020-26557"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "OTHER",
"id": null
},
{
"db": "CERT/CC",
"id": "VU#799380"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1500"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007329"
},
{
"db": "NVD",
"id": "CVE-2020-26557"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-05-24T00:00:00",
"db": "CERT/CC",
"id": "VU#799380"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2021-05-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-1500"
},
{
"date": "2022-02-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-007329"
},
{
"date": "2021-05-24T18:15:07.903000",
"db": "NVD",
"id": "CVE-2020-26557"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-12-09T00:00:00",
"db": "CERT/CC",
"id": "VU#799380"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2022-07-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-1500"
},
{
"date": "2022-02-08T07:08:00",
"db": "JVNDB",
"id": "JVNDB-2021-007329"
},
{
"date": "2025-11-04T20:15:57.920000",
"db": "NVD",
"id": "CVE-2020-26557"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote or local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202105-1500"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure",
"sources": [
{
"db": "CERT/CC",
"id": "VU#799380"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…