CVE-2025-38473

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-38473
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38473.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38473
Downstream
Related
Published
2025-07-28T11:21:34.880Z
Modified
2026-03-11T07:45:42.678692907Z
Summary
Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix null-ptr-deref in l2capsockresume_cb()

syzbot reported null-ptr-deref in l2capsockresume_cb(). [0]

l2capsockresumecb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in locksock_nested()").

Since both l2capsockkill() and l2capsockresumecb() are executed under l2capsockresumecb(), we can avoid the issue simply by checking if chan->data is NULL.

Let's not access to the killed socket in l2capsockresume_cb().

BUG: KASAN: null-ptr-deref in clearbit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] BUG: KASAN: null-ptr-deref in l2capsockresumecb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52

CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: hci0 hcirxwork Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) __dumpstack+0x30/0x40 lib/dumpstack.c:94 dumpstacklvl+0xd8/0x12c lib/dumpstack.c:120 printreport+0x58/0x84 mm/kasan/report.c:524 kasanreport+0xb0/0x110 mm/kasan/report.c:634 checkregioninline mm/kasan/generic.c:-1 [inline] kasancheck_range+0x264/0x2a4 mm/kasan/generic.c:189 _kasancheckwrite+0x20/0x30 mm/kasan/shadow.c:37 instrumentatomicwrite include/linux/instrumented.h:82 [inline] clearbit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] l2capsockresumecb+0xb4/0x17c net/bluetooth/l2capsock.c:1711 l2capsecuritycfm+0x524/0xea0 net/bluetooth/l2capcore.c:7357 hciauthcfm include/net/bluetooth/hcicore.h:2092 [inline] hciauthcompleteevt+0x2e8/0xa4c net/bluetooth/hcievent.c:3514 hcieventfunc net/bluetooth/hcievent.c:7511 [inline] hcieventpacket+0x650/0xe9c net/bluetooth/hcievent.c:7565 hcirxwork+0x320/0xb18 net/bluetooth/hcicore.c:4070 processonework+0x7e8/0x155c kernel/workqueue.c:3238 processscheduledworks kernel/workqueue.c:3321 [inline] workerthread+0x958/0xed8 kernel/workqueue.c:3402 kthread+0x5fc/0x75c kernel/kthread.c:464 retfromfork+0x10/0x20 arch/arm64/kernel/entry.S:847

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38473.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d97c899bde330cd1c76c3a162558177563a74362
Fixed
262cd18f5f7ede6a586580cadc5d0799e52e2e7c
Fixed
2b27b389006623673e8cfff4ce1e119cce640b05
Fixed
3a4eca2a1859955c65f07a570156bd2d9048ce33
Fixed
ac3a8147bb24314fb3e84986590148e79f9872ec
Fixed
c4f16f6b071a74ac7eefe5c28985285cbbe2cd96
Fixed
b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08
Fixed
6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0
Fixed
a0075accbf0d76c2dad1ad3993d2e944505d99a0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38473.json"