Unrated severityNVD Advisory· Published Dec 16, 2025· Updated Apr 15, 2026

CVE-2025-68298

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref

In btusb_mtk_setup(), we set btmtk_data->isopkt_intf to: usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM)

That function can return NULL in some cases. Even when it returns NULL, though, we still go on to call btusb_mtk_claim_iso_intf().

As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf() when btmtk_data->isopkt_intf is NULL will cause a crash because we'll end up passing a bad pointer to device_lock(). Prior to that commit we'd pass the NULL pointer directly to usb_driver_claim_interface() which would detect it and return an error, which was handled.

Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check at the start of the function. This makes the code handle a NULL btmtk_data->isopkt_intf the same way it did before the problematic commit (just with a slight change to the error message printed).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's Bluetooth btusb driver for MediaTek chips, a NULL pointer dereference in btusb_mtk_claim_iso_intf() can be triggered when usb_ifnum_to_if() returns NULL, leading to a crash.

Vulnerability

Overview

A NULL pointer dereference vulnerability exists in the Linux kernel's Bluetooth subsystem, specifically in the btusb driver for MediaTek chipsets. The issue occurs in the btusb_mtk_setup() function, where btmtk_data->isopkt_intf is assigned the return value of usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM). This function can return NULL under certain conditions [1].

Exploitation

Prerequisites

An attacker does not need special privileges to trigger this bug; it can occur during normal USB device enumeration if the system has a MediaTek Bluetooth adapter connected. The vulnerability is reachable without authentication, as it is triggered during driver initialization when the kernel attempts to claim the ISO interface. When btmtk_data->isopkt_intf is NULL, the subsequent call to btusb_mtk_claim_iso_intf() passes the NULL pointer to functions like device_lock(), which results in a kernel crash (NULL pointer dereference) [1].

Impact

The impact is a denial of service (DoS) via system crash or kernel panic. An attacker could potentially cause the system to become unavailable by connecting a malicious USB device that triggers this code path. There is no indication of privilege escalation or data confidentiality breach [1].

Mitigation

The fix is included in Linux kernel commit 2fa09fe98ca3. The patch adds a NULL check at the start of btusb_mtk_claim_iso_intf(), which safely returns an error instead of crashing. Users should update their kernel to the latest stable release containing this patch. No workaround is available other than applying the patch [1].

References

Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Linux/btusbllm-create
Linux/Kernelllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000