CVE-2025-40308

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-40308
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40308.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-40308
Downstream
Related
Published
2025-12-08T00:46:33.729Z
Modified
2026-03-20T12:43:15.624563Z
Summary
Bluetooth: bcsp: receive data only if registered
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: bcsp: receive data only if registered

Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace:

KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]
RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590
Call Trace:
 <TASK>
 hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627
 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290
 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

To prevent this, ensure that the HCIUARTREGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40308.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
48effdb7a798232db945503cf3f51e0be8070cea
Fixed
39a7d40314b6288cfa2d13269275e9247a7a055a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
45fa7bd82c6178f4fec0ab94891144a043ec5fe8
Fixed
164586725b47f9d61912e6bf17dbaffeff11710b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d71a57a34ab6bbc95dc461158403c02e8ff3f912
Fixed
b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9cf7dccaa7f4c56d2089700e5cb11f85a8d5f6cf
Fixed
8b892dbef3887dbe9afdc7176d1a5fd90e1636aa
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
806464634e7fc6b523160defeeddb1ade2a72f81
Fixed
799cd62cbcc3f12ee04b33ef390ff7d41c37d671
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6b7a32fa9bacdebd98c18b2a56994116995ee643
Fixed
b420a4c7f915fc1c94ad1f6ca740acc046d94334
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
366ceff495f902182d42b6f41525c2474caf3f9a
Fixed
55c1519fca830f59a10bbf9aa8209c87b06cf7bc
Fixed
ca94b2b036c22556c3a66f1b80f490882deef7a6
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
15543b7bbe7b5f744fdbb44f75b14f81a0117813
Last affected
a4b89a45b12b69bc82c8137346b150a118e02c26

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40308.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.4.302
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.247
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.197
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.159
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.117
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.58
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.17.8

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40308.json"