197 matches found
CVE-2025-53477
NULL Pointer Dereference vulnerability in Apache Nimble. Missing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference. This issue requires disabled asserts and broken or bogus Bluetooth controller and thus severity is considered low. This issue...
CVE-2025-53470 Apache Mynewt NimBLE: Out-of-Bounds Write Vulnerability in NimBLE HCI H4 driver
Out-of-bounds Read vulnerability in Apache NimBLE HCI H4 driver. Specially crafted HCI event could lead to invalid memory read in H4 driver. This issue affects Apache NimBLE: through 1.8. This issue requires a broken or bogus Bluetooth controller and thus severity is considered low. Users are...
EUVD-2026-1853
NULL Pointer Dereference vulnerability in Apache Nimble. Missing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference. This issue requires disabled asserts and broken or bogus Bluetooth controller and thus severity is considered low. This issue...
CVE-2025-53477 Apache Mynewt NimBLE: NULL Pointer Dereference in NimBLE host HCI layer
NULL Pointer Dereference vulnerability in Apache Nimble. Missing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference. This issue requires disabled asserts and broken or bogus Bluetooth controller and thus severity is considered low. This issue...
PT-2026-1816
Name of the Vulnerable Software and Affected Versions Apache NimBLE versions through 1.8.0 Description A flaw exists in Apache NimBLE where missing validation of an HCI connection complete or HCI command TX buffer can result in a NULL pointer dereference. This issue requires disabled asserts and ...
Apache NimBLE 缓冲区错误漏洞
Apache NimBLE is an open source Bluetooth 5.4 stack host and controller from the Apache Foundation, USA, that completely replaces the proprietary SoftDevice on Nordic chipsets.It is part of the Apache Mynewt project. A buffer error vulnerability exists in Apache NimBLE 1.8 and earlier versions,...
PT-2026-1815
Name of the Vulnerable Software and Affected Versions Apache NimBLE versions through 1.8 Description An out-of-bounds read issue exists in the Apache NimBLE HCI H4 driver. A specially crafted HCI event can cause an invalid memory read within the H4 driver. The issue is considered low severity as ...
CVE-2022-50809 xhci: dbc: Fix memory leak in xhci_alloc_dbc()
In the Linux kernel, the following vulnerability has been resolved: xhci: dbc: Fix memory leak in xhciallocdbc If DbC is already in use, then the allocated memory for the xhcidbc struct doesn't get freed before returning NULL, which leads to a memleak...
PT-2025-53951
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains an issue related to Bluetooth handling. Specifically, the scheduling of work items within the Bluetooth HCI Host Controller Interface subsystem was flawed. A...
PT-2025-52995
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A flaw exists in the Linux kernel's Bluetooth implementation within the hci conn component. Specifically, the hci connect sco and hci connect cis functions were returning NULL when a lin...
Bluetooth: hci_event: validate skb length for unknown CC opcode
...
CVE-2023-53828 Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: Avoid use-after-free in dbg for hciaddadvmonitor KSAN reports use-after-free in hciaddadvmonitor. While adding an adv monitor, hciaddadvmonitor calls - msftaddmonitorpattern calls - msftaddmonitorsync calls -...
SUSE CVE-2025-40308
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsprecv can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN:...
PT-2025-49447
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A race condition exists within the Bluetooth implementation in the Linux kernel, specifically in the hci cmd sync dequeue once function. This function performs a lookup and cancellation ...
kernel: Bluetooth: Fix potential use-after-free when clear keys
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix potential use-after-free when clear keys Similar to commit c5d2b6fa26b5 "Bluetooth: Fix use-after-free in hciremoveltk/hciremoveirk". We can not access k after kfreercu call...
Bluetooth: When HCI work queue is drained, only queue chained work
...
kernel: Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
A flaw was discovered in the Bluetooth subsystem of the Linux kernel. When processing a HCIEVNUMCOMPPKTS event, the function hciconntxdequeue did not properly hold or release the hdev device lock, which may lead to a use-after-free of the connection structure...
kernel: Linux kernel: Denial of Service in Bluetooth HCI UART driver via null pointer dereference
A flaw was found in the Linux kernel's Bluetooth HCI UART driver. A race condition exists where the hciuartwritework function may attempt to access uninitialized private data if a TTY write wakeup occurs during the protocol initialization phase. This can lead to a NULL pointer dereference,...
UBUNTU-CVE-2025-39983
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcievent: Fix UAF in hciconntxdequeue This fixes the following UAF caused by not properly locking hdev when processing HCIEVNUMCOMPPKTS: BUG: KASAN: slab-use-after-free in hciconntxdequeue+0x1be/0x220...
Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987175)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-987175 advisory. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: fix use-after-free in l2capconndel When l2caprecvframe is invoked to receive...