CVE-2025-38303 in Linux
Summary
by MITRE • 07/10/2025
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: eir: Fix possible crashes on eir_create_adv_data
eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER without checking if that would fit.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/07/2025
The vulnerability identified as CVE-2025-38303 represents a critical flaw in the Linux kernel's Bluetooth implementation specifically within the Extended Inquiry Response (EIR) handling mechanism. This issue affects the eir_create_adv_data function which is responsible for constructing advertising data packets in Bluetooth Low Energy communications. The flaw stems from inadequate bounds checking during the construction of EIR data structures, creating potential for system instability and crash conditions. The vulnerability manifests when the function attempts to incorporate EIR_FLAGS and EIR_TX_POWER elements into advertising data without first verifying that sufficient space exists within the allocated buffer.
From a technical perspective, this vulnerability constitutes a buffer overflow condition that aligns with CWE-129, which describes improper validation of array index or buffer bounds. The eir_create_adv_data function operates under the assumption that sufficient space exists in the advertising data buffer to accommodate all potential EIR elements, including the mandatory EIR_FLAGS and EIR_TX_POWER fields. However, when the buffer size constraints are exceeded during the addition of these elements, the kernel's memory management system can experience undefined behavior leading to system crashes or potential privilege escalation. The vulnerability specifically impacts the Bluetooth subsystem's ability to properly construct advertising packets, which are fundamental to BLE device discovery and connection establishment processes.
The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise the entire Bluetooth communication stack within affected Linux systems. Attackers could exploit this condition to induce denial-of-service scenarios against Bluetooth-enabled devices, effectively rendering them unusable for wireless communication. In environments where Bluetooth is critical for device management or security functions, such as industrial control systems or IoT deployments, this vulnerability could result in significant operational disruptions. The flaw affects systems running Linux kernel versions that include the problematic eir_create_adv_data implementation, particularly those supporting Bluetooth Low Energy protocols. The vulnerability is particularly concerning because it operates at the kernel level, meaning successful exploitation could potentially provide attackers with elevated privileges or complete system compromise.
Mitigation strategies for CVE-2025-38303 should prioritize applying the official kernel patches provided by the Linux kernel security team. Organizations should implement comprehensive monitoring of Bluetooth-related system crashes and ensure all Linux systems are updated to versions containing the fix. The vulnerability's exploitation requires specific conditions related to Bluetooth advertising data construction, but given the widespread use of Bluetooth in modern systems, proactive patch management is essential. Security teams should also consider implementing network segmentation to limit exposure and monitor for unusual Bluetooth activity patterns that might indicate exploitation attempts. The fix addresses the core issue by implementing proper bounds checking before attempting to add EIR_FLAGS and EIR_TX_POWER elements to advertising data packets, ensuring that buffer overflow conditions cannot occur during the EIR data construction process. This remediation aligns with ATT&CK technique T1059.007 for command and scripting interpreter, as it prevents potential malicious code execution through kernel-level buffer overflow exploitation.