logo_clicknbuy.png

CVE-2025-21827 – Mediatek btusb Bluetooth NULL Pointer Dereference

The following table lists the changes that have been made to the
CVE-2025-21827 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Mar. 06, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved:

    Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()

    The documentation for usb_driver_claim_interface() says that “the
    device lock” is needed when the function is called from places other
    than probe(). This appears to be the lock for the USB interface
    device. The Mediatek btusb code gets called via this path:

    Workqueue: hci0 hci_power_on [bluetooth]
    Call trace:
    usb_driver_claim_interface
    btusb_mtk_claim_iso_intf
    btusb_mtk_setup
    hci_dev_open_sync
    hci_power_on
    process_scheduled_works
    worker_thread
    kthread

    With the above call trace the device lock hasn’t been claimed. Claim
    it.

    Without this fix, we’d sometimes see the error “Failed to claim iso
    interface”. Sometimes we’d even see worse errors, like a NULL pointer
    dereference (where `intf->dev.driver` was NULL) with a trace like:

    Call trace:
    usb_suspend_both
    usb_runtime_suspend
    __rpm_callback
    rpm_suspend
    pm_runtime_work
    process_scheduled_works

    Both errors appear to be fixed with the proper locking.
    Added Reference https://git.kernel.org/stable/c/4194766ec8756f4f654d595ae49962acbac49490
    Added Reference https://git.kernel.org/stable/c/930e1790b99e5839e1af69d2f7fd808f1fba2df9
    Added Reference https://git.kernel.org/stable/c/e9087e828827e5a5c85e124ce77503f2b81c3491
Share the Post:

Related Posts