CVE-2025-68304

EPSS 0.03%
Veröffentlicht 16.12.2025 15:06:21
Zuletzt bearbeitet 18.12.2025 15:08:06
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_core: lookup hci_conn on RX path on protocol side

The hdev lock/lookup/unlock/use pattern in the packet RX path doesn't
ensure hci_conn* is not concurrently modified/deleted. This locking
appears to be leftover from before conn_hash started using RCU
commit bf4c63252490b ("Bluetooth: convert conn hash to RCU")
and not clear if it had purpose since then.

Currently, there are code paths that delete hci_conn* from elsewhere
than the ordered hdev->workqueue where the RX work runs in. E.g.
commit 5af1f84ed13a ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync")
introduced some of these, and there probably were a few others before
it.  It's better to do the locking so that even if these run
concurrently no UAF is possible.

Move the lookup of hci_conn and associated socket-specific conn to
protocol recv handlers, and do them within a single critical section
to cover hci_conn* usage and lookup.

syzkaller has reported a crash that appears to be this issue:

    [Task hdev->workqueue]          [Task 2]
                                    hci_disconnect_all_sync
    l2cap_recv_acldata(hcon)
                                      hci_conn_get(hcon)
                                      hci_abort_conn_sync(hcon)
                                        hci_dev_lock
      hci_dev_lock
                                        hci_conn_del(hcon)
      v-------------------------------- hci_dev_unlock
                                      hci_conn_put(hcon)
      conn = hcon->l2cap_data (UAF)

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < ec74cdf77310c43b01b83ee898a9bd4b4b0b8e93

Version 5af1f84ed13a416297ab9ced7537f4d5ae7f329a

Status affected

Version < 79a2d4678ba90bdba577dc3af88cc900d6dcd5ee

Version 5af1f84ed13a416297ab9ced7537f4d5ae7f329a

Status affected

Version cd55c13bbb3d093ae601aa97e588ed4c1390ebb1

Status affected

Version 4d3ca4a9aaf0aa798a6be372dc0fc3a29e37dd57

Status affected

Version 80265dd1d944c3f33e52375b5dbe654980bd2688

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.6

Status affected

Version < 6.6

Version 0

Status unaffected

Version <= 6.17.*

Version 6.17.11

Status unaffected

Version <= *

Version 6.18

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.067

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/ec74cdf77310c43b01b83ee898a9bd4b4b0b8e93

https://git.kernel.org/stable/c/79a2d4678ba90bdba577dc3af88cc900d6dcd5ee

https://nvd.nist.gov/vuln/detail/CVE-2025-68304

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68304

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68304

EUVD