CVE-2025-39889
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-24

Last updated on: 2026-04-02

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Check encryption key size on incoming connection This is required for passing GAP/SEC/SEM/BI-04-C PTS test case: Security Mode 4 Level 4, Responder - Invalid Encryption Key Size - 128 bit This tests the security key with size from 1 to 15 bytes while the Security Mode 4 Level 4 requests 16 bytes key size. Currently PTS fails with the following logs: - expected:Connection Response: Code: [3 (0x03)] Code Identifier: (lt)WildCard: Exists(gt) Length: [8 (0x0008)] Destination CID: (lt)WildCard: Exists(gt) Source CID: [64 (0x0040)] Result: [3 (0x0003)] Connection refused - Security block Status: (lt)WildCard: Exists(gt), but received:Connection Response: Code: [3 (0x03)] Code Identifier: [1 (0x01)] Length: [8 (0x0008)] Destination CID: [64 (0x0040)] Source CID: [64 (0x0040)] Result: [0 (0x0000)] Connection Successful Status: [0 (0x0000)] No further information available And HCI logs: < HCI Command: Read Encrypti.. (0x05|0x0008) plen 2 Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.) > HCI Event: Command Complete (0x0e) plen 7 Read Encryption Key Size (0x05|0x0008) ncmd 1 Status: Success (0x00) Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.) Key size: 7 > ACL Data RX: Handle 14 flags 0x02 dlen 12 L2CAP: Connection Request (0x02) ident 1 len 4 PSM: 4097 (0x1001) Source CID: 64 < ACL Data TX: Handle 14 flags 0x00 dlen 16 L2CAP: Connection Response (0x03) ident 1 len 8 Destination CID: 64 Source CID: 64 Result: Connection successful (0x0000) Status: No further information available (0x0000)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-24
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2025-09-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-39889
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.11 (inc) to 5.15.181 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.135 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.88 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.25 (exc)
linux linux_kernel From 6.13 (inc) to 6.14.4 (exc)
linux linux_kernel 6.15
linux linux_kernel 6.15
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel's Bluetooth l2cap component involves improper checking of the encryption key size on incoming connections. Specifically, the system does not enforce the required 16-byte encryption key size mandated by Security Mode 4 Level 4, allowing connections with smaller keys (1 to 15 bytes). This causes the system to accept connections that should be refused due to insufficient encryption strength.

Impact Analysis

This vulnerability can impact you by allowing Bluetooth connections that use weaker encryption keys than required, potentially exposing your device to security risks such as unauthorized access or data interception. Because the system accepts connections with smaller-than-required encryption keys, attackers might exploit this to bypass security controls and compromise the confidentiality and integrity of Bluetooth communications.

Compliance Impact

This vulnerability could negatively affect compliance with security requirements in standards and regulations like GDPR and HIPAA, which mandate strong protection of sensitive data. Accepting Bluetooth connections with insufficient encryption key sizes may lead to weaker data protection, increasing the risk of unauthorized data access or breaches, thereby potentially violating these regulations' security obligations.

Detection Guidance

Detection involves monitoring Bluetooth L2CAP connection attempts and checking the encryption key size used in incoming connections. Specifically, you can analyze HCI logs for the 'Read Encryption Key Size' command and verify if the key size is less than the required 16 bytes for Security Mode 4 Level 4. Commands to capture such logs include using 'btmon' to monitor Bluetooth traffic and 'hcidump' to capture HCI events. For example, running 'sudo btmon' or 'sudo hcidump' on the affected system can help observe the encryption key size during connection attempts.

Mitigation Strategies

Immediate mitigation involves ensuring that the Bluetooth stack enforces the minimum encryption key size of 16 bytes for Security Mode 4 Level 4 connections. Applying the patch or update that fixes the vulnerability in the Linux kernel Bluetooth L2CAP component is necessary. Until then, restricting Bluetooth connections to trusted devices and disabling Bluetooth if not needed can reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-39889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart