| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120819-CVE-2025-40301-4d3b@gregkh> Date: Mon, 8 Dec 2025 09:47:25 +0900 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40301: Bluetooth: hci_event: validate skb length for unknown CC opcode From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data. The Linux kernel CVE team has assigned CVE-2025-40301 to this issue. Affected and fixed versions =========================== Issue introduced in 6.1 with commit afcb3369f46ed5dc883a7b92f2dd1e264d79d388 and fixed in 6.1.159 with commit fea895de78d3bb2f0c09db9f10b18f8121b15759 Issue introduced in 6.1 with commit afcb3369f46ed5dc883a7b92f2dd1e264d79d388 and fixed in 6.6.117 with commit 779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8 Issue introduced in 6.1 with commit afcb3369f46ed5dc883a7b92f2dd1e264d79d388 and fixed in 6.12.58 with commit cf2c2acec1cf456c3d11c11a7589e886a0f963a9 Issue introduced in 6.1 with commit afcb3369f46ed5dc883a7b92f2dd1e264d79d388 and fixed in 6.17.8 with commit 1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50 Issue introduced in 6.1 with commit afcb3369f46ed5dc883a7b92f2dd1e264d79d388 and fixed in 6.18 with commit 5c5f1f64681cc889d9b13e4a61285e9e029d6ab5 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40301 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/bluetooth/hci_event.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/fea895de78d3bb2f0c09db9f10b18f8121b15759 https://git.kernel.org/stable/c/779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8 https://git.kernel.org/stable/c/cf2c2acec1cf456c3d11c11a7589e886a0f963a9 https://git.kernel.org/stable/c/1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50 https://git.kernel.org/stable/c/5c5f1f64681cc889d9b13e4a61285e9e029d6ab5
Powered by blists - more mailing lists