Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An attacker is able to downgrade the security of a Bluetooth LE connection by deleting an existing bond, spoofing the bonded device and creating a new bond.
AnalysisAI
Bluetooth LE bond downgrade in Silicon Labs Simplicity SDK allows an adjacent attacker to weaken connection security by deleting an existing bond, impersonating the previously bonded peer, and forcing a new pairing under attacker-controlled parameters. The flaw enables compromise of confidentiality, integrity, and availability of BLE communications on devices built with the affected SDK, and no public exploit has been identified at time of analysis.
Technical ContextAI
The vulnerability resides in the Bluetooth LE bonding/pairing implementation shipped with Silicon Labs' Simplicity SDK (cpe:2.3:a:silabs.com:simplicity_sdk), the development platform used to build firmware for Silicon Labs wireless SoCs and modules. Bonding in BLE stores long-term keys (LTKs) that enable encrypted reconnection without re-pairing; the affected stack does not adequately validate the authenticity of a peer requesting deletion or re-establishment of a bond, mapping to CWE-290 (Authentication Bypass by Spoofing). By removing the prior bond record, an attacker can present itself as the legitimate device on the next connection and complete pairing afresh, potentially under Just Works or otherwise downgraded security parameters, defeating the protections originally negotiated.
RemediationAI
Upstream fix available per vendor advisory; the Silicon Labs Bluetooth software 9.0.0.0 release notes should be consulted to confirm the patched stack version and to update Simplicity SDK and rebuild affected firmware accordingly (https://community.silabs.com/068Vm00000p3N9C and https://www.silabs.com/documents/public/release-notes/bt-software-release-notes-9.0.0.0.pdf). Until firmware on deployed devices can be updated, operators should require the highest available BLE pairing mode (LE Secure Connections with MITM protection / numeric comparison or passkey entry) in application logic and reject Just Works re-pairings, monitor for unexpected bond loss or re-pairing events on managed fleets, and where feasible operate sensitive devices in physically controlled environments to reduce the radio-range exposure that this attack requires. These mitigations may increase user friction during legitimate re-pairing and will not protect implementations that rely solely on default stack behavior, so firmware update remains the durable remediation.
More in Simplicity Sdk
View allSame weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31969
GHSA-h7g2-qqw7-mf7r