HCE2-SA-2022-0002 Important HCE 2.0 Security Fix(es): BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c. (CVE-2022-39177) BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash. (CVE-2021-41229) BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176) HCE 2.0 bluez-5.54-15.hce2.aarch64.rpm bluez-cups-5.54-15.hce2.aarch64.rpm bluez-devel-5.54-15.hce2.aarch64.rpm bluez-help-5.54-15.hce2.noarch.rpm bluez-libs-5.54-15.hce2.aarch64.rpm bluez-5.54-15.hce2.x86_64.rpm bluez-cups-5.54-15.hce2.x86_64.rpm bluez-devel-5.54-15.hce2.x86_64.rpm bluez-libs-5.54-15.hce2.x86_64.rpm