CPATH-2026-0014 · SMART GLASSES AR

HoloLens Broadcom Wi-Fi over-the-air RCE/DoS (ADV190017: CVE-2019-9501/9503)

Provisional. Candidate score (CFSE Consequence Paths 1.0-candidate); pending independent review. Treat as a structured second opinion, not a final rating.

Paths CRITICAL Dominant consequence DEVICE_CONTROL_SAFETY Physical/safety · Evidence EV:2 (report-backed) · Liveness PATCH_AVAILABLE

CPATH ID	`CPATH-2026-0014`
CVE(s)	CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503
Device / class	HoloLens Broadcom Wi-Fi over-the-air RCE/DoS (ADV190017: CVE-2019-9501/9503) (SMART GLASSES AR)
Vendor	Microsoft
Dominant consequence	`DEVICE_CONTROL_SAFETY` (Physical/safety)
Paths verdict	CRITICAL (worst of 2 paths)
Published baseline	v3.1 8.3 HIGH `CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H` · NVD (CVE-2019-9500) v3.1 7.9 HIGH `CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H` · CERT/CC via NVD (CVE-2019-9500) v3.1 8.8 HIGH `CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` · NVD (CVE-2019-9501) v3.1 7.9 HIGH `CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H` · CERT/CC via NVD (CVE-2019-9501) v3.1 8.8 HIGH `CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` · NVD (CVE-2019-9502) v3.1 7.9 HIGH `CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H` · CERT/CC via NVD (CVE-2019-9502) v3.1 8.3 HIGH `CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H` · NVD (CVE-2019-9503) v3.1 7.9 HIGH `CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H` · CERT/CC via NVD (CVE-2019-9503)
Baseline relationship	▼ Paths higher
Consequence dimension(s)	#1 #2 (what these mean)
Scored	2026-06-03 · CFSE Consequence Paths v1.0-candidate · validation: provisional
Baseline confidence	high

Consequence Paths

Paths Assessment

Physical/safety

`DEVICE_CONTROL_SAFETY`

CRITICAL

Reachability RE:2

Complexity EC:1

Consequence DEVICE_CONTROL_SAFETY

Scale SR:4 / SX:2

Verdict CRITICAL

Reachability 2

Complexity 1

Exposure 1

Physical / safety 3

Data / perception 4

Authority 3

Chainability 4

Reuse scale 4

Execution scale 2

Recovery 3

Evidence EV:2 · report-backed

Liveness PATCH_AVAILABLE

Vector

CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:2/EC:1/EX:1/PH:3/DP:4/AT:3/CH:4/SR:4/SX:2/OR:3/EV:2/LS:PATCH_AVAILABLE

Physical/safety

`DEVICE_AVAILABILITY`

HIGH

Reachability RE:2

Complexity EC:4

Consequence DEVICE_AVAILABILITY

Scale SR:4 / SX:2

Verdict HIGH

Reachability 2

Complexity 4

Exposure 2

Physical / safety 3

Data / perception 0

Authority 2

Chainability 2

Reuse scale 4

Execution scale 2

Recovery 2

Evidence EV:2 · report-backed

Liveness PATCH_AVAILABLE

Vector

CPATH:1.0-candidate/TT:DEVICE_AVAILABILITY/RE:2/EC:4/EX:2/PH:3/DP:0/AT:2/CH:2/SR:4/SX:2/OR:2/EV:2/LS:PATCH_AVAILABLE

Assessment

CFSE Consequence Paths assesses HoloLens Broadcom Wi-Fi over-the-air RCE/DoS (ADV190017: CVE-2019-9501/9503) at CRITICAL — the worst of 2 risk paths (safety). The dominant consequence is influence over a safety-relevant actuation.

Vulnerability

HoloLens Broadcom Wi-Fi over-the-air RCE/DoS (ADV190017: CVE-2019-9501/9503). Reported attack vector: ADJACENT_NETWORK (Wi-Fi radio proximity, unauthenticated).

CFSE Consequence Paths analysis

The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.

`DEVICE_CONTROL_SAFETY` → CRITICAL

CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:2/EC:1/EX:1/PH:3/DP:4/AT:3/CH:4/SR:4/SX:2/OR:3/EV:2/LS:PATCH_AVAILABLE

Exposure EX=1 (execution complexity-bound) · bands PH=HIGH · DP=CRITICAL · AT=HIGH → base CRITICAL · caps low-exposure cap → assessed CRITICAL.

RE2 — Wi-Fi radio proximity, unauthenticated, no association or victim physical access (ADJACENT).
EC1 — reliable heap-overflow RCE is exploit-dependent, fragile/timing-sensitive (DoS is easy, code exec is hard).
AT3 — native code at wireless-driver/kernel level = device compromise / service-level authority, but not a signing/OTA/identity root, so not 4.
PH3 — compromise of a head-worn MR display with cameras and live spatial mapping reduces safety margin and can influence what the wearer perceives as real (mid-use); credible injury (PH4) not demonstrated.
DP4 — code execution exposes camera/spatial-map/live-sensor world-model state and can affect rendered-environment integrity.
perception_feeds_action — true: the headset’s camera/spatial map drives the wearer’s perception of safety-relevant reality and AR rendering.
CH4 — boundary_crossing true: driver/kernel compromise crosses radio->device->perception/safety boundaries and is a reusable bridge.
SR4 — same Broadcom driver/payload reused across many affected units (shared-component supply-chain reuse).
SX2 — per-device proximity required (range-limited per attacker, one nearby unit at a time).
OR3 — requires firmware/driver update push to detect/recover; not a full recall or signing-root rotation.
EV2 — report-backed advisory, no field exploitation observed.
active_exploitation — false.

`DEVICE_AVAILABILITY` → HIGH

CPATH:1.0-candidate/TT:DEVICE_AVAILABILITY/RE:2/EC:4/EX:2/PH:3/DP:0/AT:2/CH:2/SR:4/SX:2/OR:2/EV:2/LS:PATCH_AVAILABLE

Exposure EX=2 (reachability-bound) · bands PH=HIGH · DP=MONITOR · AT=ELEVATED → base HIGH → assessed HIGH.

DoS branch (CVSS A:H).
RE2 — Wi-Fi proximity, unauthenticated, no physical access.
EC4 — DoS via crafted frames is trivial/single-request and reliable (explicitly stated as trivial).
PH2 — a crash mid-use disrupts the wearer / workflow availability disruption without severe harm.
DP0 — pure crash, no data exposure on this path.
AT2 — bounded availability impact of the device/component, no authority gain.
CH2 — boundary_crossing true: crosses radio->device boundary but is not a reusable cross-domain authority bridge on its own.
SR4 — identical frame payload reusable against any affected Broadcom-driver unit (shared component).
SX2 — per-device proximity, range-limited per attacker.
OR2 — device reboots/recovers; firmware update needed to prevent recurrence but no fleet reprovision.
EV2 — report-backed.
active_exploitation — false.

Published baseline

v3.1 8.3 HIGH — CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H — NVD (CVE-2019-9500)
v3.1 7.9 HIGH — CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H — CERT/CC via NVD (CVE-2019-9500)
v3.1 8.8 HIGH — CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — NVD (CVE-2019-9501)
v3.1 7.9 HIGH — CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H — CERT/CC via NVD (CVE-2019-9501)
v3.1 8.8 HIGH — CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — NVD (CVE-2019-9502)
v3.1 7.9 HIGH — CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H — CERT/CC via NVD (CVE-2019-9502)
v3.1 8.3 HIGH — CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H — NVD (CVE-2019-9503)
v3.1 7.9 HIGH — CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H — CERT/CC via NVD (CVE-2019-9503)

The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.

Sources

Score it yourself in the calculator Review this score

Cite this entry:

CFSE Consequence Paths Registry v1.0-candidate, entry CPATH-2026-0014 (“HoloLens Broadcom Wi-Fi over-the-air RCE/DoS (ADV190017: CVE-2019-9501/9503)”), paths.cfse.ai/CPATH-2026-0014 (published 2026-06-03).