VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2025· Updated Apr 15, 2026

CVE-2025-40301

CVE-2025-40301

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: validate skb length for unknown CC opcode

In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory.

The fix is to check skb->len before using skb->data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's Bluetooth HCI event handler, missing length validation for unknown command complete opcodes can cause an out-of-bounds read.

Vulnerability

In hci_cmd_complete_evt(), when a command complete event has an unknown opcode, the code assumes the first byte of the remaining skb->data contains the return status. However, parameter data has already been pulled by hci_event_func(), which may leave the skb empty [1]. Reading skb->data[0] in this case accesses uninitialized memory.

Exploitation

The vulnerability is triggered when a Bluetooth controller sends a command complete event with an opcode not recognized by the kernel. No authentication is required, but an attacker would need to be able to inject such events, typically requiring local access or proximity to the device (Bluetooth range). The issue exists in the HCI event processing code path.

Impact

An attacker could cause the kernel to read uninitialized memory, potentially leading to information disclosure or system instability. The out-of-bounds read occurs before the command status is properly handled.

Mitigation

The fix, included in commit 5c5f1f64681c (stable backport fea895de78d3 in a different context [2]), adds a length check on skb->len before using skb->data. This ensures the skb has at least one byte of data, returning an error if not. Users should update to a kernel version containing this patch.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

5
fea895de78d3
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
779f83a91d4f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
cf2c2acec1cf
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
1a0ddaaf9740
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
5c5f1f64681c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.