CVE-2025-38303

Отчет

A vulnerability in eir_create_adv_data() in the Linux Bluetooth stack (introduced in commit 01ce70b0a274) may lead to out-of-bounds memory writes due to the lack of bounds checking when adding EIR fields like EIR_FLAGS and EIR_TX_POWER. This can cause kernel crashes when oversized advertising data is constructed. The bug is fixed by adding explicit size checks before writing into the advertising data buffer. Exploitation leads to a kernel crash (Oops) or memory corruption when the Bluetooth advertising data overflows the target buffer. It does not affect confidentiality or integrity, but can impact availability. Only privileged processes with direct access to Bluetooth HCI configuration interfaces (e.g., kernel threads or root-initiated bluetoothd context) can trigger this code path. Regular unprivileged users cannot invoke it without elevated rights. Although the vulnerability involves memory corruption in kernel space, it occurs in a Bluetooth advertising data generation function that is not directly accessible to unprivileged users. Triggering the flaw requires high privileges (PR:H), and there is no evidence that the corruption can be exploited to gain code execution or affect confidentiality or integrity. The primary impact is a kernel crash, which justifies marking only Availability as High while leaving Confidentiality and Integrity as None.