CVE-2025-40308

Vulnerability

Description

CVE-2025-40308 is a NULL pointer dereference vulnerability in the Bluetooth BCSP (BlueCore Serial Protocol) driver of the Linux kernel. The root cause is that the bcsp_recv() function can be invoked before the BCSP protocol has been fully registered, leading to a null pointer dereference when it attempts to access protocol-specific data structures. The issue was discovered via KASAN (Kernel Address Sanitizer) reports showing a null-ptr-deref in the range starting at offset 0x108, specifically at the line bcsp_recv+0x13d/0x1740 in drivers/bluetooth/hci_bcsp.c[1][2].

Exploitation

Vector

The vulnerability is triggered through the serial TTY subsystem. An attacker with local access can use the TIOCSTI ioctl, which injects characters into the input queue of the terminal, to send crafted data to the Bluetooth line discipline (hci_ldisc). This eventually calls hci_uart_tty_receive() followed by bcsp_recv()[1]. No authentication is required beyond the ability to execute ioctl on a TTY file descriptor – a capability a local user or process can have. The attack surface is limited to systems where the BCSP line discipline is loaded, though the unpatched code path is reachable from a standard local user context.

Impact

Successful exploitation results in a kernel NULL pointer dereference, causing a system crash (denial of service). The crash occurs in kernel context, so a local unprivileged attacker can reliably trigger a panic. There is no indication of privilege escalation or data corruption; the impact is primarily availability. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been reported.

Mitigation

The fix, merged into the Linux kernel stable tree, ensures that bcsp_recv() checks the HCI_UART_REGISTERED flag before processing received data; if the protocol is not registered, the function returns -EUNATCH instead of proceeding to dereference uninitialized pointers[3][4]. Users should apply the corresponding kernel patches for their distribution. As a workaround, unloading the hci_uart and hci_bcsp kernel modules, if not needed, can eliminate the attack vector.