CVE-2025-40308
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-12-08

Last updated on: 2025-12-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: <TASK> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-08
Last Modified
2025-12-08
Generated
2026-05-07
AI Q&A
2025-12-08
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40308
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's Bluetooth subsystem, specifically in the bcsp_recv() function. The function can be called even when the BCSP protocol has not been registered, leading to a NULL pointer dereference. This means the system tries to access memory through a pointer that has not been properly initialized, causing a crash or instability. The issue arises because the code does not check if the protocol is registered before processing received data.


How can this vulnerability impact me? :

The vulnerability can cause a NULL pointer dereference in the Linux kernel Bluetooth driver, which may lead to system crashes or instability. This can disrupt Bluetooth functionality and potentially affect the overall reliability of the system running the vulnerable kernel.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves a NULL pointer dereference in the Linux kernel Bluetooth bcsp_recv() function when the BCSP protocol is not registered. Detection would involve monitoring kernel logs for KASAN null pointer dereference messages related to bcsp_recv or Bluetooth bcsp. You can check kernel logs using commands like 'dmesg | grep bcsp' or 'journalctl -k | grep bcsp' to look for related error messages or crashes. Additionally, monitoring for Bluetooth subsystem crashes or unusual behavior may help detect exploitation attempts.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that the HCI_UART_REGISTERED flag is set before processing received Bluetooth data via the BCSP protocol. If the protocol is not registered, the system should return -EUNATCH to prevent the NULL pointer dereference. Practically, this means applying the relevant Linux kernel patch that fixes this issue or upgrading to a kernel version where this vulnerability is resolved.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart