PT-2026-1815

Name of the Vulnerable Software and Affected Versions Apache NimBLE versions through 1.8 Description An out-of-bounds read issue exists in the Apache NimBLE HCI H4 driver. A specially crafted HCI event can cause an invalid memory read within the H4 driver. The issue is considered low severity as ...

Apache NimBLE 缓冲区错误漏洞

Apache NimBLE is an open source Bluetooth 5.4 stack host and controller from the Apache Foundation, USA, that completely replaces the proprietary SoftDevice on Nordic chipsets.It is part of the Apache Mynewt project. A buffer error vulnerability exists in Apache NimBLE 1.8 and earlier versions,...

CVE-2022-50809 xhci: dbc: Fix memory leak in xhci_alloc_dbc()

In the Linux kernel, the following vulnerability has been resolved: xhci: dbc: Fix memory leak in xhciallocdbc If DbC is already in use, then the allocated memory for the xhcidbc struct doesn't get freed before returning NULL, which leads to a memleak...

PT-2025-53951

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains an issue related to Bluetooth handling. Specifically, the scheduling of work items within the Bluetooth HCI Host Controller Interface subsystem was flawed. A...

PT-2025-52995

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A flaw exists in the Linux kernel's Bluetooth implementation within the hci conn component. Specifically, the hci connect sco and hci connect cis functions were returning NULL when a lin...

Bluetooth: hci_event: validate skb length for unknown CC opcode

...

CVE-2023-53828 Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: Avoid use-after-free in dbg for hciaddadvmonitor KSAN reports use-after-free in hciaddadvmonitor. While adding an adv monitor, hciaddadvmonitor calls - msftaddmonitorpattern calls - msftaddmonitorsync calls -...

SUSE CVE-2025-40308

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsprecv can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN:...

PT-2025-49447

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A race condition exists within the Bluetooth implementation in the Linux kernel, specifically in the hci cmd sync dequeue once function. This function performs a lookup and cancellation ...

kernel: Bluetooth: Fix potential use-after-free when clear keys

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix potential use-after-free when clear keys Similar to commit c5d2b6fa26b5 "Bluetooth: Fix use-after-free in hciremoveltk/hciremoveirk". We can not access k after kfreercu call...

Bluetooth: When HCI work queue is drained, only queue chained work

...

kernel: Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue

A flaw was discovered in the Bluetooth subsystem of the Linux kernel. When processing a HCIEVNUMCOMPPKTS event, the function hciconntxdequeue did not properly hold or release the hdev device lock, which may lead to a use-after-free of the connection structure...

kernel: Linux kernel: Denial of Service in Bluetooth HCI UART driver via null pointer dereference

A flaw was found in the Linux kernel's Bluetooth HCI UART driver. A race condition exists where the hciuartwritework function may attempt to access uninitialized private data if a TTY write wakeup occurs during the protocol initialization phase. This can lead to a NULL pointer dereference,...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...

net: nfc: nci: Add parameter validation for packet data

...

CVE-2025-40043 net: nfc: nci: Add parameter validation for packet data

In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Add parameter validation for packet data Syzbot reported an uninitialized value bug in nciinitreq, which was introduced by commit 5aca7966d2a7 "Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of...

UBUNTU-CVE-2025-39983

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcievent: Fix UAF in hciconntxdequeue This fixes the following UAF caused by not properly locking hdev when processing HCIEVNUMCOMPPKTS: BUG: KASAN: slab-use-after-free in hciconntxdequeue+0x1be/0x220...

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987175)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-987175 advisory. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: fix use-after-free in l2capconndel When l2caprecvframe is invoked to receive...

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-986555)

"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-986555 advisory. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcicore: cancel all works upon hciunregisterdev syzbot is reporting that calling...

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987359)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-987359 advisory. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use after free in hcisendacl This fixes the following trace caused by receiving...