CVE-2021-3658: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2021-3658) affects the bluetoothd component from BlueZ, the Linux Bluetooth protocol stack. The issue was discovered in 2021 and involves incorrect handling of adapters' Discoverable status when a device is powered down and up. Specifically, the bluetoothd daemon incorrectly saves and restores the Discoverable status during power state transitions (NVD, Ubuntu).

The vulnerability stems from a design flaw where the bluetoothd daemon saves the adapter's Discoverable status when a device is powered down and restores it when powered up. The issue occurs because the discoverable setting is stored even when it was set temporarily by discovery clients, rather than only when explicitly changed via the Discoverable property. This behavior was fixed in an upstream commit that modified the storing logic to only persist the discoverable setting if it was not set temporarily by discovery (Kernel Commit).

If exploited, this vulnerability could lead to inadvertent exposure of the Bluetooth stack to physically proximate attackers. When a device is powered down while in discoverable mode, it will automatically become discoverable again when powered back on, potentially exposing the Bluetooth interface without user awareness (Bugzilla).

The issue was addressed in an upstream fix (commit b497b5942a8) that modifies the behavior to only store the discoverable setting when it is explicitly changed via the Discoverable property, and not when it is temporarily set by discovery clients. Users should update to a patched version of BlueZ that includes this fix (Kernel Commit).