CVE-2025-68298

Summary

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref

In btusb_mtk_setup(), we set btmtk_data->isopkt_intf to: usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM)

That function can return NULL in some cases. Even when it returns NULL, though, we still go on to call btusb_mtk_claim_iso_intf().

As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf() when btmtk_data->isopkt_intf is NULL will cause a crash because we'll end up passing a bad pointer to device_lock(). Prior to that commit we'd pass the NULL pointer directly to usb_driver_claim_interface() which would detect it and return an error, which was handled.

Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check at the start of the function. This makes the code handle a NULL btmtk_data->isopkt_intf the same way it did before the problematic commit (just with a slight change to the error message printed).

Affected Software

VendorProductVersion RangeStatus
LinuxLinux930e1790b99e5839e1af69d2f7fd808f1fba2df9 < 2fa09fe98ca3b114d66285f65f7e108fea131815affected
LinuxLinuxe9087e828827e5a5c85e124ce77503f2b81c3491 < c3b990e0b23068da65f0004cd38ee31f43f36460affected
LinuxLinuxe9087e828827e5a5c85e124ce77503f2b81c3491 < c884a0b27b4586e607431d86a1aa0bb4fb39169caffected
LinuxLinux4194766ec8756f4f654d595ae49962acbac49490affected
LinuxLinux6.12.13 < 6.12.61affected
LinuxLinux6.13.2 < 6.14affected
LinuxLinux6.14affected
LinuxLinux0 < 6.14unaffected
LinuxLinux6.12.61 <= 6.12.*unaffected
LinuxLinux6.17.11 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References