Skip to content

Bluetooth: bt_conn_tx_processor unsafe handling

High
ceolin published GHSA-9r46-cqqw-6j2j Sep 19, 2025

Package

zephyr (zephyr)

Affected versions

<= 4.1

Patched versions

None

Description

  1. The bt_conn_tx_processor deallocating net_bufs that are holding ACL TX data to be sent when an LE Bluetooth disconnection has taken place.
  2. It uses the l2cap_pull_data function which is responsible for preparing the data to send while returning a net_buf pointer.
  3. the l2cap_pull_data is also responsible for popping the PDU from the channel tx_queue when the last segment (K-frame) has been sent.
  4. The bt_conn_tx_processor does not take into account that l2cap_pull_data is segmenting the data and assumes that returned pointer can be “UNREFED” (freed).
    a. only when conn->state is not CONNECTED.
  5. Leading to a write-before-zero when the next segment send is acknowledged.
  6. This 4 bytes that are written are highly controlled by outside attacker and this can form the basis of a reliable exploit.
image

Impact

  • Causes a use-after-free, resulting in a write-before-zero (stale buffer is reused and written to).
  • The written 4 bytes are attacker-controlled, enabling precise memory corruption.
  • This can form the basis of a reliable remote exploit

Patches

main: #90975

For more information

If you have any questions or comments about this advisory:

embargo: 2025-09-05

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVE ID

CVE-2025-7403

Weaknesses

Write-what-where Condition

Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. Learn more on MITRE.

Credits