Linux Kernel Bluetooth NULL Pointer Dereference Vulnerability in btusb Component

Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's Bluetooth subsystem, specifically within the btusb component. This issue arises when processing a QCA firmware crash dump on the WCN7851 chipset. The vulnerability occurs because the function handle_dump_pkt_qca() incorrectly returns a success value, leading to the premature deallocation of a socket buffer (skb). When the Bluetooth device driver subsequently attempts to dequeue the same skb from the dump queue, it results in a NULL pointer dereference.

Impact

Exploitation of this vulnerability leads to a kernel NULL pointer dereference, causing a crash in the Bluetooth subsystem.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Linux Kernel Bluetooth NULL Pointer Dereference Vulnerability in btusb Component

Vulnerability

Impact

Affected Products

Linux kernel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating