Detections
Analytics

CVE-2025-40308

medium

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: <TASK> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.

References

https://git.kernel.org/stable/c/ca94b2b036c22556c3a66f1b80f490882deef7a6

https://git.kernel.org/stable/c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9

https://git.kernel.org/stable/c/b420a4c7f915fc1c94ad1f6ca740acc046d94334

https://git.kernel.org/stable/c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa

https://git.kernel.org/stable/c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671

https://git.kernel.org/stable/c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc

https://git.kernel.org/stable/c/39a7d40314b6288cfa2d13269275e9247a7a055a

https://git.kernel.org/stable/c/164586725b47f9d61912e6bf17dbaffeff11710b

Details

Source: Mitre, NVD

Published: 2025-12-08

Updated: 2025-12-08

Risk Information

CVSS v2

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Severity: Medium

EPSS

EPSS: 0.00024