Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Title Texas Instruments Microcontrollers CC2640 and CC2650 are vulnerable to heap overflow
Name VU#317277 First vendor Publication 2018-11-01
Vendor VU-CERT Last vendor Modification 2018-11-02
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 5.8 Attack Range Adjacent network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 6.5 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#317277

Texas Instruments Microcontrollers CC2640 and CC2650 are vulnerable to heap overflow

Original Release date: 01 Nov 2018 | Last revised: 02 Nov 2018


Texas Instruments Microcontrollers CC2640 and CC2650 are vulnerable to heap overflow


CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2018-16986

Both Texas Instruments microcontrollers CC2640 and CC2650 BLE-Stacks contain a memory corruption vulnerability resulting from the mishandling of BLE advertising packets. The function llGetAdvChanPDU that is part of the embedded ROM image in both chips handles the incoming advertising packets and parses their headers. It copies the contents to a separate buffer provided by the calling function. The incorrect length of the packet is taken and end up being parsed as larger packets than originally intended. If the incoming data is over a certain length, the function will call the halAssertHandler function, as defined by the application running on top of the stack, and not stop execution. Since the flow of execution does not stop, it will copy the overly large packet to the buffer and cause a heap overflow.


Using a specially crafted set of packets, an attacker can both control the data of the overflow, and the length of it, which may lead to remote code execution on the targeted BLE chip. An attacker needs to be within physical proximity to the device while it is in scanning mode to trigger vulnerable code. This memory corruption can lead to code execution on the main CPU of the device, which could have the potential to affect other devices across a network if the origin is a networked device.

Given the nature of embedded devices, it is possible that a broader set of devices are impacted than what is listed in this publication. If you believe you are affected, please email us at cert@cert.org.


Update the BLE-Stack

This vulnerability was patched in BLE-Stack v2.2.2 released by Texas Instruments on March 28, 2018. Affected devices will require a firmware update to obtain the updated BLE-Stack.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Aruba NetworksAffected12 Oct 201819 Oct 2018
CiscoAffected12 Oct 201802 Nov 2018
Texas InstrumentsAffected19 Oct 201819 Oct 2018
AppleNot Affected12 Oct 201830 Oct 2018
Brocade Communication SystemsNot Affected12 Oct 201819 Oct 2018
Check Point Software TechnologiesNot Affected12 Oct 201822 Oct 2018
D-Link Systems, Inc.Not Affected12 Oct 201819 Oct 2018
Debian GNU/LinuxNot Affected12 Oct 201819 Oct 2018
Netgear, Inc.Not Affected12 Oct 201819 Oct 2018
SynologyNot Affected12 Oct 201819 Oct 2018
Toshiba Commerce SolutionsNot Affected12 Oct 201819 Oct 2018
ZyxelNot Affected12 Oct 201802 Nov 2018
3com IncUnknown12 Oct 201812 Oct 2018
A10 NetworksUnknown12 Oct 201812 Oct 2018
ACCESSUnknown12 Oct 201812 Oct 2018
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)



  • http://software-dl.ti.com/lprf/ble_stack/exports/release_notes_BLE_Stack_2_2_2.html
  • https://cwe.mitre.org/data/definitions/119.html
  • https://armis.com/bleedingbit/
  • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-006.txt


We would like to thank Ben Seri at Armis for reporting this vulnerability.

This document was written by Madison Oliver.

Other Information

  • CVE IDs:CVE-2018-16986
  • Date Public:01 Nov 2018
  • Date First Published:01 Nov 2018
  • Date Last Updated:02 Nov 2018
  • Document Revision:49


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/317277

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Os 3

Alert History

If you want to see full details history, please login or register.
Date Informations
2019-02-01 21:20:55
  • Multiple Updates
2018-11-06 21:22:02
  • Multiple Updates
2018-11-03 00:18:21
  • Multiple Updates
2018-11-01 21:18:34
  • First insertion