Home

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: <TASK> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.

PUBLISHED Reserved 2025-04-16 | Published 2025-12-08 | Updated 2025-12-08 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 39a7d40314b6288cfa2d13269275e9247a7a055a
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 164586725b47f9d61912e6bf17dbaffeff11710b
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 8b892dbef3887dbe9afdc7176d1a5fd90e1636aa
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 799cd62cbcc3f12ee04b33ef390ff7d41c37d671
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before b420a4c7f915fc1c94ad1f6ca740acc046d94334
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 55c1519fca830f59a10bbf9aa8209c87b06cf7bc
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ca94b2b036c22556c3a66f1b80f490882deef7a6
affected

Default status
affected

5.4.302 (semver)
unaffected

5.10.247 (semver)
unaffected

5.15.197 (semver)
unaffected

6.1.159 (semver)
unaffected

6.6.117 (semver)
unaffected

6.12.58 (semver)
unaffected

6.17.8 (semver)
unaffected

6.18 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/39a7d40314b6288cfa2d13269275e9247a7a055a

git.kernel.org/...c/164586725b47f9d61912e6bf17dbaffeff11710b

git.kernel.org/...c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9

git.kernel.org/...c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa

git.kernel.org/...c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671

git.kernel.org/...c/b420a4c7f915fc1c94ad1f6ca740acc046d94334

git.kernel.org/...c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc

git.kernel.org/...c/ca94b2b036c22556c3a66f1b80f490882deef7a6

cve.org (CVE-2025-40308)

nvd.nist.gov (CVE-2025-40308)

Download JSON