CVE-2025-40308

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: bcsp: receive data only if registered

Currently, bcsp_recv() can be called even when the BCSP protocol has not
been registered. This leads to a NULL pointer dereference, as shown in
the following stack trace:

    KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]
    RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590
    Call Trace:
     <TASK>
     hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627
     tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290
     tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706
     vfs_ioctl fs/ioctl.c:51 [inline]
     __do_sys_ioctl fs/ioctl.c:907 [inline]
     __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
     do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
     entry_SYSCALL_64_after_hwframe+0x77/0x7f

To prevent this, ensure that the HCI_UART_REGISTERED flag is set before
processing received data. If the protocol is not registered, return
-EUNATCH.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
LinuxCNA
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/164586725b47f9d61912e6bf17dbaffeff11710b
https://git.kernel.org/stable/c/39a7d40314b6288cfa2d13269275e9247a7a055a
https://git.kernel.org/stable/c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc
https://git.kernel.org/stable/c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671
https://git.kernel.org/stable/c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa
https://git.kernel.org/stable/c/b420a4c7f915fc1c94ad1f6ca740acc046d94334
https://git.kernel.org/stable/c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9
https://git.kernel.org/stable/c/ca94b2b036c22556c3a66f1b80f490882deef7a6