The function le_conn_rsp, responsible for handling BLE connection responses, fails to verify whether a connection response is actually expected—i.e., whether the device initiated a connection request. Instead, it only checks if the identifier matches
- le_conn_rsp is the function handling responses that are sent in response to connection requests.
- The parsing and handling in the function should not happen if a connection response is not expected (The device did not initiate any connection request)
- The function only validates that an identifier is matching, leading to crazy state confusion when coupled with Vulnerability GHSA-hcc8-3qr7-c9m8
/* Keep the channel in case of security errors */
if (result == BT_L2CAP_LE_SUCCESS ||
result == BT_L2CAP_LE_ERR_AUTHENTICATION ||
result == BT_L2CAP_LE_ERR_ENCRYPTION) {
chan = l2cap_lookup_ident(conn, ident);
} else {
chan = l2cap_remove_ident(conn, ident);
}
Impact
Protocol state confusion, potentially resulting in security issues, memory corruption, or denial of service.
Patches
For more information
If you have any questions or comments about this advisory:
embargo: 2025-09-05
The function
le_conn_rsp, responsible for handling BLE connection responses, fails to verify whether a connection response is actually expected—i.e., whether the device initiated a connection request. Instead, it only checks if the identifier matchesImpact
Protocol state confusion, potentially resulting in security issues, memory corruption, or denial of service.
Patches
For more information
If you have any questions or comments about this advisory:
embargo: 2025-09-05