CVE-2025-38304 in Linuxinfo

Summary

by MITRE • 07/10/2025

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix NULL pointer deference on eir_get_service_data

The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DATA.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 12/19/2025

The vulnerability identified as CVE-2025-38304 represents a critical NULL pointer dereference flaw within the Linux kernel's Bluetooth implementation, specifically affecting the eir_get_service_data function. This issue resides in the Extended Inquiry Response (EIR) parsing logic that processes Bluetooth service data during device discovery operations. The vulnerability stems from improper handling of the len parameter which is marked as optional in the Bluetooth specification but is still being dereferenced without proper validation in the kernel's Bluetooth subsystem. When a Bluetooth device advertises service data with a NULL length parameter, the kernel's parsing routine attempts to access memory locations based on this null value, leading to a system crash or potential privilege escalation.

The technical flaw manifests when the Bluetooth stack encounters EIR_SERVICE_DATA entries where the length parameter is explicitly set to NULL. According to the Bluetooth Core Specification, the length field in EIR data is optional and may be omitted in certain advertising packets. However, the Linux kernel implementation fails to account for this possibility and proceeds to use the NULL length value for memory calculations or pointer arithmetic operations. This direct dereference of a NULL pointer violates fundamental security principles and can result in immediate system instability or more sophisticated exploitation scenarios. The vulnerability directly maps to CWE-476 which identifies NULL pointer dereference as a common programming error that leads to application crashes and potential security breaches.

The operational impact of CVE-2025-38304 extends beyond simple system crashes, potentially enabling attackers to cause denial of service conditions across Bluetooth-enabled devices or even achieve privilege escalation depending on the execution context. In embedded systems, mobile devices, or IoT deployments where Bluetooth is heavily utilized, this vulnerability could be exploited to disrupt critical services or create persistent access points for further attacks. The issue is particularly concerning because Bluetooth discovery processes occur frequently during device pairing and network scanning activities, making exploitation relatively straightforward. From an adversary perspective, this vulnerability aligns with ATT&CK technique T1059.007 which involves executing commands through system binaries, and T1499.004 which covers network denial of service attacks.

Mitigation strategies for CVE-2025-38304 should focus on immediate kernel updates from vendors such as Canonical, Red Hat, or other Linux distributions that have patched this specific vulnerability. System administrators should prioritize patch deployment across all Bluetooth-enabled systems, particularly those in critical infrastructure environments. Additionally, network segmentation and monitoring should be enhanced to detect anomalous Bluetooth traffic patterns that might indicate exploitation attempts. The fix implemented by kernel developers involves adding proper NULL pointer validation before attempting to process the length parameter, ensuring that the eir_get_service_data function gracefully handles optional length fields without attempting invalid memory operations. Organizations should also consider implementing Bluetooth device whitelisting policies and disabling unnecessary Bluetooth services to reduce attack surface exposure. Regular security audits of Bluetooth implementations and adherence to secure coding practices should be enforced to prevent similar vulnerabilities in future developments.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/10/2025

Moderation

accepted

CPE

ready

EPSS

0.00145

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!