CVE-2020-26558 [Medium] | Authentication Bypass in Bluetooth Core Specification

Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.02%	0.87%	+0.85%
2	2025-11-21	0.29%	0.02%	-0.27%
3	2025-11-18	—	0.29%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.02%

0.87%

+0.85%

2025-11-21

0.29%

0.02%

-0.27%

2025-11-18

—

0.29%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.2	3.1	MEDIUM	`CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N` Click to expand Attack vector (AV:A) Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	1.6	2.5	[email protected]
4.3	2.0	MEDIUM	`AV:A/AC:M/Au:N/C:P/I:P/A:N` Click to expand Access vector (AV:A) Requires access to an adjacent network segment. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	5.5	4.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

4.2

3.1

MEDIUM

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Click to expand

Attack vector (AV:A): Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

1.6

2.5

[email protected]

4.3

2.0

MEDIUM

AV:A/AC:M/Au:N/C:P/I:P/A:N Click to expand

Access vector (AV:A): Requires access to an adjacent network segment.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

5.5

4.9

[email protected]

OS Trackers for CVE-2020-26558

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2020-26558 not yet assigned priority: Debian including 2 source packages (bluez, linux), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10.	https://security-tracker.debian.org/tracker/CVE-2020-26558
`gentoo`	high	CVE-2020-26558: 1 GLSA(s) (202209-16), 1 atom(s) (net-wireless/bluez); latest impact high.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2020-26558
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2020-26558
`suse`	medium	—	https://www.suse.com/security/cve/CVE-2020-26558/
`ubuntu`	medium	CVE-2020-26558 medium priority: Ubuntu including 169 source packages (bluez, linux, …), 2181 status rows across 16 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1682, released 224, not-affected 220, ignored 53, needed 1, needs-triage 1.	https://ubuntu.com/security/CVE-2020-26558

Affected software / configurations for CVE-2020-26558

Vendor	Product	Version	Raw CPE
bluetooth	bluetooth_core_specification	>= 2.1, <= 5.2	cpe:2.3:a:bluetooth:bluetooth_core_specification::::::::
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
linux	linux_kernel	< 5.13	cpe:2.3:o:linux:linux_kernel::::::::
intel	ax210_firmware	—	cpe:2.3:o:intel:ax210_firmware:-:::::::*
intel	ax201_firmware	—	cpe:2.3:o:intel:ax201_firmware:-:::::::*
intel	ax200_firmware	—	cpe:2.3:o:intel:ax200_firmware:-:::::::*
intel	ac_9560_firmware	—	cpe:2.3:o:intel:ac_9560_firmware:-:::::::*
intel	ac_9462_firmware	—	cpe:2.3:o:intel:ac_9462_firmware:-:::::::*
intel	ac_9461_firmware	—	cpe:2.3:o:intel:ac_9461_firmware:-:::::::*
intel	ac_9260_firmware	—	cpe:2.3:o:intel:ac_9260_firmware:-:::::::*
intel	ac_8265_firmware	—	cpe:2.3:o:intel:ac_8265_firmware:-:::::::*
intel	ac_8260_firmware	—	cpe:2.3:o:intel:ac_8260_firmware:-:::::::*
intel	ac_3168_firmware	—	cpe:2.3:o:intel:ac_3168_firmware:-:::::::*
intel	ac_7265_firmware	—	cpe:2.3:o:intel:ac_7265_firmware:-:::::::*
intel	ac_3165_firmware	—	cpe:2.3:o:intel:ac_3165_firmware:-:::::::*
intel	ax1675_firmware	—	cpe:2.3:o:intel:ax1675_firmware:-:::::::*
intel	ax1650_firmware	—	cpe:2.3:o:intel:ax1650_firmware:-:::::::*
intel	ac_1550_firmware	—	cpe:2.3:o:intel:ac_1550_firmware:-:::::::*

References for CVE-2020-26558

URL	Tags
https://kb.cert.org/vuls/id/799380	Third Party Advisory US Government Resource
https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00022.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSS6CTGE4UGTJLCOZOASDR3T3SLL6QJZ/
https://security.gentoo.org/glsa/202209-16	Third Party Advisory
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/	Vendor Advisory
https://www.debian.org/security/2021/dsa-4951	Third Party Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00517.html	Third Party Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00520.html	Third Party Advisory
https://www.kb.cert.org/vuls/id/799380

URL

CVE-2020-26558

Exploit prediction scoring system (EPSS) score for CVE-2020-26558

Common vulnerability scoring system (CVSS) metrics for CVE-2020-26558

Weakness enumeration for CVE-2020-26558

OS Trackers for CVE-2020-26558

Affected software / configurations for CVE-2020-26558

References for CVE-2020-26558