PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8676 silabs.com CVE debrief

A high-severity Bluetooth Low Energy (BLE) authentication bypass vulnerability affecting Silicon Labs Bluetooth software. The flaw allows an attacker within wireless range to downgrade connection security by deleting an existing bond, spoofing the bonded device identity, and establishing a new bond—effectively bypassing authentication controls. The vulnerability stems from improper authentication (CWE-290) in BLE pairing implementations. Published 2026-05-26 with CVSS 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability when an attacker is in adjacent network proximity. Silicon Labs has addressed this in Bluetooth software release 9.0.0.0.

Vendor
silabs.com
Product
Simplicity SDK
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-27
Advisory published
2026-05-26
Advisory updated
2026-05-27

Who should care

Organizations deploying Bluetooth Low Energy devices using Silicon Labs Bluetooth stack; IoT security teams managing BLE medical devices, industrial sensors, or consumer electronics; product security engineers responsible for wireless protocol implementations; and compliance teams evaluating Bluetooth security controls against NIST SP 800-121 or similar wireless security frameworks.

Technical summary

The vulnerability exists in Bluetooth Low Energy pairing/bonding implementations where insufficient verification of peer identity during re-bonding allows attackers to intercept and downgrade secure connections. By deleting the legitimate bond and presenting a spoofed device identity with matching Bluetooth address, the attacker can trigger a new bonding procedure that may fall back to less secure pairing methods or bypass authentication entirely. This represents a classic authentication bypass (CWE-290: Authentication Bypass by Spoofing) in wireless proximity protocols. The attack requires adjacent network access (AV:A) but no privileges or user interaction, with successful exploitation yielding complete compromise of the BLE connection's confidentiality, integrity, and availability.

Defensive priority

HIGH

Recommended defensive actions

  • Review Silicon Labs Bluetooth software release notes for version 9.0.0.0 to confirm patch applicability
  • Audit BLE device inventory for Silicon Labs Bluetooth stack implementations
  • Verify bond management policies enforce mutual authentication and bonding verification
  • Implement LE Secure Connections (Numeric Comparison or Passkey Entry) where supported
  • Monitor for unexpected bond deletion events in BLE security logs
  • Apply Bluetooth software updates to version 9.0.0.0 or later when vendor confirms applicability

Evidence notes

Vendor attribution based on reference domain evidence (Silabs) with low confidence; requires review. CVE status 'Received' indicates preliminary NVD processing.

Official resources

2026-05-26T21:16:44.630Z