CVE-2025-40308
Published: December 9, 2025Last modified: December 9, 2025
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: <TASK> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | linux-lts | Vulnerable (6.1.158-r0) |
| 25 LTS | linux-lts | Fixed (6.12.58-r0) | |
| Stream | linux-lts | Fixed (6.12.58-r0) |
References
- https://git.kernel.org/stable/c/164586725b47f9d61912e6bf17dbaffeff11710b
- https://git.kernel.org/stable/c/39a7d40314b6288cfa2d13269275e9247a7a055a
- https://git.kernel.org/stable/c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc
- https://git.kernel.org/stable/c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671
- https://git.kernel.org/stable/c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa
- https://git.kernel.org/stable/c/b420a4c7f915fc1c94ad1f6ca740acc046d94334
- https://git.kernel.org/stable/c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9
- https://git.kernel.org/stable/c/ca94b2b036c22556c3a66f1b80f490882deef7a6