lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025092459-CVE-2025-39889-7f8e@gregkh>
Date: Wed, 24 Sep 2025 13:02:59 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39889: Bluetooth: l2cap: Check encryption key size on incoming connection

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: l2cap: Check encryption key size on incoming connection

This is required for passing GAP/SEC/SEM/BI-04-C PTS test case:
  Security Mode 4 Level 4, Responder - Invalid Encryption Key Size
  - 128 bit

This tests the security key with size from 1 to 15 bytes while the
Security Mode 4 Level 4 requests 16 bytes key size.

Currently PTS fails with the following logs:
- expected:Connection Response:
    Code: [3 (0x03)] Code
    Identifier: (lt)WildCard: Exists(gt)
    Length: [8 (0x0008)]
    Destination CID: (lt)WildCard: Exists(gt)
    Source CID: [64 (0x0040)]
    Result: [3 (0x0003)] Connection refused - Security block
    Status: (lt)WildCard: Exists(gt),
but received:Connection Response:
    Code: [3 (0x03)] Code
    Identifier: [1 (0x01)]
    Length: [8 (0x0008)]
    Destination CID: [64 (0x0040)]
    Source CID: [64 (0x0040)]
    Result: [0 (0x0000)] Connection Successful
    Status: [0 (0x0000)] No further information available

And HCI logs:
< HCI Command: Read Encrypti.. (0x05|0x0008) plen 2
        Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)
> HCI Event: Command Complete (0x0e) plen 7
      Read Encryption Key Size (0x05|0x0008) ncmd 1
        Status: Success (0x00)
        Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)
        Key size: 7
> ACL Data RX: Handle 14 flags 0x02 dlen 12
      L2CAP: Connection Request (0x02) ident 1 len 4
        PSM: 4097 (0x1001)
        Source CID: 64
< ACL Data TX: Handle 14 flags 0x00 dlen 16
      L2CAP: Connection Response (0x03) ident 1 len 8
        Destination CID: 64
        Source CID: 64
        Result: Connection successful (0x0000)
        Status: No further information available (0x0000)

The Linux kernel CVE team has assigned CVE-2025-39889 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.11 with commit 288c06973daae4637f25a0d1bdaf65fdbf8455f9 and fixed in 5.15.181 with commit 24b2cdfc16e9bd6ab3d03b8e01c590755bd3141f
	Issue introduced in 5.11 with commit 288c06973daae4637f25a0d1bdaf65fdbf8455f9 and fixed in 6.1.135 with commit c6d527bbd3d3896375079f5dbc8b7f96734a3ba5
	Issue introduced in 5.11 with commit 288c06973daae4637f25a0d1bdaf65fdbf8455f9 and fixed in 6.6.88 with commit 9e3114958d87ea88383cbbf38c89e04b8ea1bce5
	Issue introduced in 5.11 with commit 288c06973daae4637f25a0d1bdaf65fdbf8455f9 and fixed in 6.12.25 with commit d49798ecd26e0ee7995a7fc1e90ca5cd9b4402d6
	Issue introduced in 5.11 with commit 288c06973daae4637f25a0d1bdaf65fdbf8455f9 and fixed in 6.14.4 with commit d4ca2fd218caafbf50e3343ba1260c6a23b5676a
	Issue introduced in 5.11 with commit 288c06973daae4637f25a0d1bdaf65fdbf8455f9 and fixed in 6.15 with commit 522e9ed157e3c21b4dd623c79967f72c21e45b78

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-39889
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/bluetooth/l2cap_core.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/24b2cdfc16e9bd6ab3d03b8e01c590755bd3141f
	https://git.kernel.org/stable/c/c6d527bbd3d3896375079f5dbc8b7f96734a3ba5
	https://git.kernel.org/stable/c/9e3114958d87ea88383cbbf38c89e04b8ea1bce5
	https://git.kernel.org/stable/c/d49798ecd26e0ee7995a7fc1e90ca5cd9b4402d6
	https://git.kernel.org/stable/c/d4ca2fd218caafbf50e3343ba1260c6a23b5676a
	https://git.kernel.org/stable/c/522e9ed157e3c21b4dd623c79967f72c21e45b78

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ