FKIE_CVE-2025-38315

Vulnerability from fkie_nvd - Published: 2025-07-10 08:15 - Updated: 2025-11-18 12:55
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: Check dsbr size from EFI variable Since the size of struct btintel_dsbr is already known, we can just start there instead of querying the EFI variable size. If the final result doesn't match what we expect also fail. This fixes a stack buffer overflow when the EFI variable is larger than struct btintel_dsbr.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3aa1dc3c9060e335e82e9c182bf3d1db29220b1bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7b8526bb489780ccc0caffc446ecabec83cfe568Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9427f6081f37c795a8bd29d0ee72a4da3bd64af8Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.11
linux linux_kernel 6.11
linux linux_kernel 6.11
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6FDD3526-677B-4A8D-8220-1513CA0BBEC9",
              "versionEndExcluding": "6.12.34",
              "versionStartIncluding": "6.11.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0541C761-BD5E-4C1A-8432-83B375D7EB92",
              "versionEndExcluding": "6.15.3",
              "versionStartIncluding": "6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.11:-:*:*:*:*:*:*",
              "matchCriteriaId": "4770BA57-3F3F-493B-8608-EC3B25254949",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "B77A9280-37E6-49AD-B559-5B23A3B1DC3D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "DE5298B3-04B4-4F3E-B186-01A58B5C75A6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: Check dsbr size from EFI variable\n\nSince the size of struct btintel_dsbr is already known, we can just\nstart there instead of querying the EFI variable size. If the final\nresult doesn\u0027t match what we expect also fail. This fixes a stack buffer\noverflow when the EFI variable is larger than struct btintel_dsbr."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: btintel: Verificar el tama\u00f1o de dsbr desde la variable EFI. Dado que el tama\u00f1o de struct btintel_dsbr ya se conoce, podemos empezar por ah\u00ed en lugar de consultar el tama\u00f1o de la variable EFI. Si el resultado final no coincide con lo esperado, tambi\u00e9n falla. Esto corrige un desbordamiento del b\u00fafer de pila cuando la variable EFI es mayor que struct btintel_dsbr."
    }
  ],
  "id": "CVE-2025-38315",
  "lastModified": "2025-11-18T12:55:03.403",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-07-10T08:15:30.477",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3aa1dc3c9060e335e82e9c182bf3d1db29220b1b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7b8526bb489780ccc0caffc446ecabec83cfe568"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9427f6081f37c795a8bd29d0ee72a4da3bd64af8"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-674"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.