Bug 2419896 (CVE-2025-40301)

Summary: CVE-2025-40301 kernel: Linux kernel: Information disclosure and denial of service in Bluetooth HCI event handling
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's Bluetooth component. A local attacker with low privileges could exploit a vulnerability in the Host Controller Interface (HCI) event processing. This issue arises from improper handling of command complete events with unknown opcodes, which can lead to the system attempting to read from uninitialized memory. Successful exploitation could result in the disclosure of sensitive information or cause the system to become unavailable (a denial of service).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-08 07:06:55 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: validate skb length for unknown CC opcode

In hci_cmd_complete_evt(), if the command complete event has an unknown
opcode, we assume the first byte of the remaining skb->data contains the
return status. However, parameter data has previously been pulled in
hci_event_func(), which may leave the skb empty. If so, using skb->data[0]
for the return status uses un-init memory.

The fix is to check skb->len before using skb->data.
Comment 1 Jon Moroney 2025-12-08 21:51:33 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120819-CVE-2025-40301-4d3b@gregkh/T
Comment 3 errata-xmlrpc 2026-02-02 09:50:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1690 https://access.redhat.com/errata/RHSA-2026:1690
Comment 5 errata-xmlrpc 2026-02-02 15:25:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:1727 https://access.redhat.com/errata/RHSA-2026:1727