{"id":"CVE-2025-40308","summary":"Bluetooth: bcsp: receive data only if registered","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: bcsp: receive data only if registered\n\nCurrently, bcsp_recv() can be called even when the BCSP protocol has not\nbeen registered. This leads to a NULL pointer dereference, as shown in\nthe following stack trace:\n\n    KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]\n    RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590\n    Call Trace:\n     \u003cTASK\u003e\n     hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627\n     tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290\n     tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706\n     vfs_ioctl fs/ioctl.c:51 [inline]\n     __do_sys_ioctl fs/ioctl.c:907 [inline]\n     __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n     do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n     entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nTo prevent this, ensure that the HCI_UART_REGISTERED flag is set before\nprocessing received data. If the protocol is not registered, return\n-EUNATCH.","modified":"2026-04-16T04:38:52.175268317Z","published":"2025-12-08T00:46:33.729Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:0316-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20145-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40308.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/164586725b47f9d61912e6bf17dbaffeff11710b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/39a7d40314b6288cfa2d13269275e9247a7a055a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b420a4c7f915fc1c94ad1f6ca740acc046d94334"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ca94b2b036c22556c3a66f1b80f490882deef7a6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40308.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40308"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"48effdb7a798232db945503cf3f51e0be8070cea"},{"fixed":"39a7d40314b6288cfa2d13269275e9247a7a055a"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"45fa7bd82c6178f4fec0ab94891144a043ec5fe8"},{"fixed":"164586725b47f9d61912e6bf17dbaffeff11710b"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d71a57a34ab6bbc95dc461158403c02e8ff3f912"},{"fixed":"b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9cf7dccaa7f4c56d2089700e5cb11f85a8d5f6cf"},{"fixed":"8b892dbef3887dbe9afdc7176d1a5fd90e1636aa"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"806464634e7fc6b523160defeeddb1ade2a72f81"},{"fixed":"799cd62cbcc3f12ee04b33ef390ff7d41c37d671"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6b7a32fa9bacdebd98c18b2a56994116995ee643"},{"fixed":"b420a4c7f915fc1c94ad1f6ca740acc046d94334"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"366ceff495f902182d42b6f41525c2474caf3f9a"},{"fixed":"55c1519fca830f59a10bbf9aa8209c87b06cf7bc"},{"fixed":"ca94b2b036c22556c3a66f1b80f490882deef7a6"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"15543b7bbe7b5f744fdbb44f75b14f81a0117813"},{"last_affected":"a4b89a45b12b69bc82c8137346b150a118e02c26"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40308.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.302"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.247"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.197"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.159"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.117"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.58"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.8"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40308.json"}}],"schema_version":"1.7.5"}