CVE-2025-40308

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: bcsp: receive data only if registered<br /> <br /> Currently, bcsp_recv() can be called even when the BCSP protocol has not<br /> been registered. This leads to a NULL pointer dereference, as shown in<br /> the following stack trace:<br /> <br /> KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]<br /> RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590<br /> Call Trace:<br /> <br /> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627<br /> tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290<br /> tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:907 [inline]<br /> __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> To prevent this, ensure that the HCI_UART_REGISTERED flag is set before<br /> processing received data. If the protocol is not registered, return<br /> -EUNATCH.