FKIE_CVE-2025-40308

Vulnerability from fkie_nvd - Published: 2025-12-08 01:16 - Updated: 2025-12-08 18:26
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: <TASK> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/164586725b47f9d61912e6bf17dbaffeff11710b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/39a7d40314b6288cfa2d13269275e9247a7a055a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b420a4c7f915fc1c94ad1f6ca740acc046d94334
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ca94b2b036c22556c3a66f1b80f490882deef7a6
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: bcsp: receive data only if registered\n\nCurrently, bcsp_recv() can be called even when the BCSP protocol has not\nbeen registered. This leads to a NULL pointer dereference, as shown in\nthe following stack trace:\n\n    KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]\n    RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590\n    Call Trace:\n     \u003cTASK\u003e\n     hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627\n     tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290\n     tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706\n     vfs_ioctl fs/ioctl.c:51 [inline]\n     __do_sys_ioctl fs/ioctl.c:907 [inline]\n     __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n     do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n     entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nTo prevent this, ensure that the HCI_UART_REGISTERED flag is set before\nprocessing received data. If the protocol is not registered, return\n-EUNATCH."
    }
  ],
  "id": "CVE-2025-40308",
  "lastModified": "2025-12-08T18:26:19.900",
  "metrics": {},
  "published": "2025-12-08T01:16:03.073",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/164586725b47f9d61912e6bf17dbaffeff11710b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/39a7d40314b6288cfa2d13269275e9247a7a055a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b420a4c7f915fc1c94ad1f6ca740acc046d94334"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ca94b2b036c22556c3a66f1b80f490882deef7a6"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.