CVE-2025-40308

Summary

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: bcsp: receive data only if registered

Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace:

KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]
RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590
Call Trace:
 <TASK>
 hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627
 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290
 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux48effdb7a798232db945503cf3f51e0be8070cea < 39a7d40314b6288cfa2d13269275e9247a7a055aaffected
LinuxLinux45fa7bd82c6178f4fec0ab94891144a043ec5fe8 < 164586725b47f9d61912e6bf17dbaffeff11710baffected
LinuxLinuxd71a57a34ab6bbc95dc461158403c02e8ff3f912 < b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9affected
LinuxLinux9cf7dccaa7f4c56d2089700e5cb11f85a8d5f6cf < 8b892dbef3887dbe9afdc7176d1a5fd90e1636aaaffected
LinuxLinux806464634e7fc6b523160defeeddb1ade2a72f81 < 799cd62cbcc3f12ee04b33ef390ff7d41c37d671affected
LinuxLinux6b7a32fa9bacdebd98c18b2a56994116995ee643 < b420a4c7f915fc1c94ad1f6ca740acc046d94334affected
LinuxLinux366ceff495f902182d42b6f41525c2474caf3f9a < 55c1519fca830f59a10bbf9aa8209c87b06cf7bcaffected
LinuxLinux366ceff495f902182d42b6f41525c2474caf3f9a < ca94b2b036c22556c3a66f1b80f490882deef7a6affected
LinuxLinux15543b7bbe7b5f744fdbb44f75b14f81a0117813affected
LinuxLinuxa4b89a45b12b69bc82c8137346b150a118e02c26affected
LinuxLinux5.4.293 < 5.4.302affected
LinuxLinux5.10.237 < 5.10.247affected
LinuxLinux5.15.181 < 5.15.197affected
LinuxLinux6.1.135 < 6.1.159affected
LinuxLinux6.6.88 < 6.6.117affected
LinuxLinux6.12.24 < 6.12.58affected
LinuxLinux6.13.12 < 6.14affected
LinuxLinux6.14.3 < 6.15affected
LinuxLinux6.15affected
LinuxLinux0 < 6.15unaffected
LinuxLinux5.4.302 <= 5.4.*unaffected
LinuxLinux5.10.247 <= 5.10.*unaffected
LinuxLinux5.15.197 <= 5.15.*unaffected
LinuxLinux6.1.159 <= 6.1.*unaffected
LinuxLinux6.6.117 <= 6.6.*unaffected
LinuxLinux6.12.58 <= 6.12.*unaffected
LinuxLinux6.17.8 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References