CVE-2022-25836 [High] | Security Vulnerability in Bluetooth Core Specification

Bluetooth® Low Energy Pairing in Bluetooth Core Specification v4.0 through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when the MITM negotiates Legacy Passkey Pairing with the pairing Initiator and Secure Connections Passkey Pairing with the pairing Responder and brute forces the Passkey entered by the user into the Initiator. The MITM attacker can use the identified Passkey value to complete authentication with the Responder via Bluetooth pairing method confusion.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-11-21	0.12%	0.15%	+0.03%
2	2025-06-25	0.17%	0.12%	-0.04%
3	2025-05-23	—	0.17%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-11-21

0.12%

0.15%

+0.03%

2025-06-25

0.17%

0.12%

-0.04%

2025-05-23

—

0.17%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.5	3.1	HIGH	`CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N` Click to expand Attack vector (AV:A) Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:N) Service keeps running; no real outage angle.	1.2	5.8	[email protected]
7.5	3.1	HIGH	`CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N` Click to expand Attack vector (AV:A) Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:N) Service keeps running; no real outage angle.	1.2	5.8	134c704f-9b21-4f2e-91b3-4a467353bcc0

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.5

3.1

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Click to expand

Attack vector (AV:A): Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N): Service keeps running; no real outage angle.

1.2

5.8

[email protected]

7.5

3.1

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Click to expand

Attack vector (AV:A): Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N): Service keeps running; no real outage angle.

1.2

5.8

134c704f-9b21-4f2e-91b3-4a467353bcc0

OS Trackers for CVE-2022-25836

vendor	priority	summary	link
`ubuntu`	medium	CVE-2022-25836 medium priority: Ubuntu including 167 source packages (linux, linux-allwinner, …), 1828 status rows across 13 suites (bionic, focal, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1384, ignored 269, needs-triage 152, deferred 23.	https://ubuntu.com/security/CVE-2022-25836

Affected software / configurations for CVE-2022-25836

Vendor	Product	Version	Raw CPE
bluetooth	bluetooth_core_specification	>= 4.0, <= 5.3	cpe:2.3:a:bluetooth:bluetooth_core_specification::::::::

References for CVE-2022-25836

URL	Tags
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/	Vendor Advisory

URL

CVE-2022-25836

Exploit prediction scoring system (EPSS) score for CVE-2022-25836

Common vulnerability scoring system (CVSS) metrics for CVE-2022-25836

Weakness enumeration for CVE-2022-25836

OS Trackers for CVE-2022-25836

Affected software / configurations for CVE-2022-25836

References for CVE-2022-25836