CVE-2025-38315

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: Check dsbr size from EFI variable Since the size of struct btintel_dsbr is already known, we can just start there instead of querying the EFI variable size. If the final result doesn't match what we expect also fail. This fixes a stack buffer overflow when the EFI variable is larger than struct btintel_dsbr.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/3aa1dc3c9060e335e82e9c182bf3d1db29220b1b	Patch
https://git.kernel.org/stable/c/7b8526bb489780ccc0caffc446ecabec83cfe568	Patch
https://git.kernel.org/stable/c/9427f6081f37c795a8bd29d0ee72a4da3bd64af8	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.11:-::::::
	cpe:2.3:o:linux:linux_kernel:6.11:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.11:rc7::::::

History

18 Nov 2025, 12:55

Type	Values Removed	Values Added
First Time		Linux linux Kernel Linux
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
References	~~() https://git.kernel.org/stable/c/3aa1dc3c9060e335e82e9c182bf3d1db29220b1b -~~	() https://git.kernel.org/stable/c/3aa1dc3c9060e335e82e9c182bf3d1db29220b1b - Patch
References	~~() https://git.kernel.org/stable/c/7b8526bb489780ccc0caffc446ecabec83cfe568 -~~	() https://git.kernel.org/stable/c/7b8526bb489780ccc0caffc446ecabec83cfe568 - Patch
References	~~() https://git.kernel.org/stable/c/9427f6081f37c795a8bd29d0ee72a4da3bd64af8 -~~	() https://git.kernel.org/stable/c/9427f6081f37c795a8bd29d0ee72a4da3bd64af8 - Patch
CWE		CWE-674
CPE		cpe:2.3:o:linux:linux_kernel:6.11:-:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.11:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.11:rc7::::::

Information

Published : 2025-07-10 08:15

Updated : 2025-11-18 12:55

NVD link : CVE-2025-38315

Mitre link : CVE-2025-38315

CVE.ORG link : CVE-2025-38315

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-674

Uncontrolled Recursion

{"id": "CVE-2025-38315", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-07-10T08:15:30.477", "references": [{"url": "https://git.kernel.org/stable/c/3aa1dc3c9060e335e82e9c182bf3d1db29220b1b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7b8526bb489780ccc0caffc446ecabec83cfe568", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9427f6081f37c795a8bd29d0ee72a4da3bd64af8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: Check dsbr size from EFI variable\n\nSince the size of struct btintel_dsbr is already known, we can just\nstart there instead of querying the EFI variable size. If the final\nresult doesn't match what we expect also fail. This fixes a stack buffer\noverflow when the EFI variable is larger than struct btintel_dsbr."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: btintel: Verificar el tama\u00f1o de dsbr desde la variable EFI. Dado que el tama\u00f1o de struct btintel_dsbr ya se conoce, podemos empezar por ah\u00ed en lugar de consultar el tama\u00f1o de la variable EFI. Si el resultado final no coincide con lo esperado, tambi\u00e9n falla. Esto corrige un desbordamiento del b\u00fafer de pila cuando la variable EFI es mayor que struct btintel_dsbr."}], "lastModified": "2025-11-18T12:55:03.403", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6FDD3526-677B-4A8D-8220-1513CA0BBEC9", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.11.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0541C761-BD5E-4C1A-8432-83B375D7EB92", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4770BA57-3F3F-493B-8608-EC3B25254949"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B77A9280-37E6-49AD-B559-5B23A3B1DC3D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE5298B3-04B4-4F3E-B186-01A58B5C75A6"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}