CVE-2025-38473

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-38473
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed under l2cap_sock_resume_cb(), we can avoid the issue simply by checking if chan->data is NULL. Let's not access to the killed socket in l2cap_sock_resume_cb(). [0]: BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: hci0 hci_rx_work Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_report+0x58/0x84 mm/kasan/report.c:524 kasan_report+0xb0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 instrument_atomic_write include/linux/instrumented.h:82 [inline] clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357 hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline] hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514 hci_event_func net/bluetooth/hci_event.c:7511 [inline] hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565 hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070 process_one_work+0x7e8/0x155c kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3402 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/262cd18f5f7ede6a586580cadc5d0799e52e2e7c Patch
https://git.kernel.org/stable/c/2b27b389006623673e8cfff4ce1e119cce640b05 Patch
https://git.kernel.org/stable/c/3a4eca2a1859955c65f07a570156bd2d9048ce33 Patch
https://git.kernel.org/stable/c/6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0 Patch
https://git.kernel.org/stable/c/a0075accbf0d76c2dad1ad3993d2e944505d99a0 Patch
https://git.kernel.org/stable/c/ac3a8147bb24314fb3e84986590148e79f9872ec Patch
https://git.kernel.org/stable/c/b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08 Patch
https://git.kernel.org/stable/c/c4f16f6b071a74ac7eefe5c28985285cbbe2cd96 Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory Mailing List
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
History

22 Dec 2025, 19:29

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/262cd18f5f7ede6a586580cadc5d0799e52e2e7c - () https://git.kernel.org/stable/c/262cd18f5f7ede6a586580cadc5d0799e52e2e7c - Patch
References () https://git.kernel.org/stable/c/2b27b389006623673e8cfff4ce1e119cce640b05 - () https://git.kernel.org/stable/c/2b27b389006623673e8cfff4ce1e119cce640b05 - Patch
References () https://git.kernel.org/stable/c/3a4eca2a1859955c65f07a570156bd2d9048ce33 - () https://git.kernel.org/stable/c/3a4eca2a1859955c65f07a570156bd2d9048ce33 - Patch
References () https://git.kernel.org/stable/c/6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0 - () https://git.kernel.org/stable/c/6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0 - Patch
References () https://git.kernel.org/stable/c/a0075accbf0d76c2dad1ad3993d2e944505d99a0 - () https://git.kernel.org/stable/c/a0075accbf0d76c2dad1ad3993d2e944505d99a0 - Patch
References () https://git.kernel.org/stable/c/ac3a8147bb24314fb3e84986590148e79f9872ec - () https://git.kernel.org/stable/c/ac3a8147bb24314fb3e84986590148e79f9872ec - Patch
References () https://git.kernel.org/stable/c/b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08 - () https://git.kernel.org/stable/c/b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08 - Patch
References () https://git.kernel.org/stable/c/c4f16f6b071a74ac7eefe5c28985285cbbe2cd96 - () https://git.kernel.org/stable/c/c4f16f6b071a74ac7eefe5c28985285cbbe2cd96 - Patch
References () https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html - () https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html - Third Party Advisory, Mailing List
References () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html - () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html - Third Party Advisory, Mailing List
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5
First Time Linux
Debian
Debian debian Linux
Linux linux Kernel
CPE cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
CWE CWE-476

03 Nov 2025, 18:16

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html -
  • () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html -

28 Aug 2025, 15:15

Type Values Removed Values Added
References
  • () https://git.kernel.org/stable/c/262cd18f5f7ede6a586580cadc5d0799e52e2e7c -
  • () https://git.kernel.org/stable/c/2b27b389006623673e8cfff4ce1e119cce640b05 -
  • () https://git.kernel.org/stable/c/3a4eca2a1859955c65f07a570156bd2d9048ce33 -

29 Jul 2025, 14:14

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: Se corrige el error null-ptr-deref en l2cap_sock_resume_cb(). syzbot reportó un error null-ptr-deref en l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() presenta un problema similar, corregido con el commit 1bff51ea59a9 ("Bluetooth: Se corrige el error de use-after-free en lock_sock_nested()"). Dado que tanto l2cap_sock_kill() como l2cap_sock_resume_cb() se ejecutan bajo l2cap_sock_resume_cb(), podemos evitar el problema simplemente comprobando si chan->data es NULL. No se accederá al socket eliminado en l2cap_sock_resume_cb(). [0]: BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: hci0 hci_rx_work Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_report+0x58/0x84 mm/kasan/report.c:524 kasan_report+0xb0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 instrument_atomic_write include/linux/instrumented.h:82 [inline] clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357 hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline] hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514 hci_event_func net/bluetooth/hci_event.c:7511 [inline] hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565 hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070 process_one_work+0x7e8/0x155c kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3402 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847

28 Jul 2025, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-28 12:15

Updated : 2025-12-22 19:29

NVD link : CVE-2025-38473

Mitre link : CVE-2025-38473

CVE.ORG link : CVE-2025-38473

JSON object : View

Products Affected

debian

  • debian_linux

linux

  • linux_kernel
CWE
CWE-476

NULL Pointer Dereference